Overview Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account.  The newly created or re-generated API keys for […]

Overview Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of […]

Overview A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems. This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 What is ShapeBlue Doing ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS).  The […]