From the ‘Multi-tenant VM Security’ files:
Apache CloudStack is being updated to version 4.0.2 today fixing at least 40 bugs.
From my perspective two of the flaws are particularly interesting and those are the security flaws.
CVE-2013-2756 is a flaw that could potentially enable an attacker to gain unauthorized access to another person’s virtual machines. That’s a particularly scary thought, especially given the common refrain that multi-tenancy is a security concern when it comes to the cloud.
“An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant’s VM,” John Kinsella wrote in a mailing list posting.
The other flaw is an information disclosure related issue.
URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage,this may allow a malicious user to gain unauthorized console access
Both of the security issues were identified by a security team at Citrix, meaning that these issues were privately found and disclosed to Apache CloudStack while the first 4.0 release debuted in November of 2012.
Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.