The Apache Software Foundation is warning users about a configuration problem in the open-source CloudStack platform that could allow an attacker to take a number of unwanted actions, including deleting all of the virtual machines on a system.
CloudStack is a project that’s under incubation at the Apache Software Foundation and there hasn’t yet been an official release of the platform. However, users can download versions of it from the Apache project page and all of the versions up until Oct. 7 are vulnerable to this issue. The vulnerability is considered critical, but the maintainers of the project have developed a workaround to mitigate the effects of the bug.
“The CloudStack PPMC was notified of a configuration vulnerability that exists in development versions of the Apache Incubated CloudStack project. This vulnerability allows a malicious user to execute arbitrary CloudStack API calls. A malicious user could, for example, delete all VMs in the system. Addressing this issue is especially important for anybody using CloudStack in a public environment,” John Kinsella of the Apache CloudStack PPMC wrote in a report on the bug.
In order to mitigate the effects of the vulnerability, users can log into the CloudStack database and make a small configuration change:
- Log in to the CloudStack database via MySQL:
$mysql -u cloud -p -h host-ip-address
- Disable the system user and set a random password:
mysql> update cloud.user set password=RAND() where id=1;
mysql> quit;
Users also can download an updated version of the platform from the project page.