ESA-01: Password Reset Vulnerability
================================================================== Eucalyptus Security Advisory Advisory ID: ESA-01 Date: 12-16-2010 Severity: Critical Access type: Remote Affected Versions: Eucalyptus 2.0.0; Eucalyptus 2.0.1 CVEs: CVE-2010-3905 ================================================================== OVERVIEW -------- A security vulnerability has been identified in Eucalyptus versions 2.0.0 and 2.0.1. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations following the instructions below. DESCRIPTION ----------- An unauthenticated remote attacker could issue password reset requests to gain access to a Eucalyptus system and potentially obtain admin privileges. SOLUTION -------- Eucalyptus 2.0.2 resolves this issue (see instructions below). INSTRUCTIONS ------------ To update Eucalyptus 2.0.0 or 2.0.1 to Eucalyptus 2.0.2: 1. Download the updated Eucalyptus software from this location: http://open.eucalyptus.com/download 2. Next, follow the Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown here: http://open.eucalyptus.com/wiki/EucalyptusUpgrade_v2.0 UPDATED PACKAGES ---------------- eucalyptus-2.0.2-centos-i386.tar.gz MD5: 413856848c9748daa457cbb551e31ad2 eucalyptus-2.0.2-centos-x86_64.tar.gz MD5: e89c38e87da4995feb3d123b360f5ee8 eucalyptus-2.0.2-fedora-i386.tar.gz MD5: 433cfd577106a1cfbbbddcb3e9eb325f eucalyptus-2.0.2-fedora-x86_64.tar.gz MD5: 188e7bd3f621f0bd42912ddd80632f8c eucalyptus-2.0.2-opensuse-i386.tar.gz MD5: 2456c2d96478cb6e3a99968c65de75b9 eucalyptus-2.0.2-opensuse-x86_64.tar.gz MD5: 1f2426b1fbc67005a057ea2055a22bab eucalyptus-2.0.2-squeeze.tar.gz MD5: d0199e5851b2f6e8606c2632405cc2a1 eucalyptus-2.0.2-src-deps.tar.gz MD5: d5a0e643502e01a56558f329f7fe950e eucalyptus-2.0.2-src-offline.tar.gz MD5: b304305b6839f0ed3a4397bbc40c3972 eucalyptus-2.0.2-src-online.tar.gz MD5: 03af41e42fdc0e64c9f4bb15cfc70794 ADDITIONAL INFORMATION ---------------------- Users running Eucalyptus on Ubuntu should refer to the Ubuntu security announcement USN-1033-1: http://www.ubuntu.com/usn/usn-1033-1 CONTACT and HELP ---------------- Contact the Eucalyptus Security Team via email at security@eucalyptus.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNClnZAAoJEAtWzWcVzgD8UV8H/i4HYcwXAlH5mR9dJJ7q0Lg/ 0H+gCezrOX6boTRDQ06i/0KhTaud8pXu7l8Ob3+Z/LmOpYlCBm7tChY1QeKtyZ6P lxNsf3ciDewS/juPJblgaUen4Qavw/mH+ko1VigFNQmdAGDDEHjN0weBGaQbLUa+ nTBbM6sivbP0ZN3XtxI1s3wqwWglj20PHqvbjbHLVSqsWvR37JYYNwLCphZlY+om cGOSIKP2gpOnSXv4w6s9UiVQg2R1A0C295b3SqKD8PVmhKN4MhZt0hWC0cD5XYOp dkNPYBa3q3M8qeeqjGNiw/5nJeCa7v4IrUdqv6rNZYSUaTkTGTuQfNi4ZZ1Tnbc= =SWFE -----END PGP SIGNATURE-----
Share This Page
