The H – (International) CloudStack alert users to critical vulnerability. Citrix and the Apache Software Foundation alerted users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. All versions downloaded from the cloudstack.org site will be vulnerable. CloudStack is also an incubating Apache project but there have been no official releases from Apache of that project. If users took the source from the Apache project, that software will be vulnerable. Details of the issue were disclosed October 7; it appears the system had a configuration issue which meant any use could execute arbitrary CloudStack API calls such as deleting all the VMs in the system. A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud.user account. The Apache CloudStack code was updated with a fix for the issue and it is believed the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon.
Ali Loney, on October 09, 2012