ESA-04: VMWare Broker Lack of Authentication Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-04
Date: 7-11-2012
Severity: Critical
Affected Versions: Eucalyptus 2.0.3, 3.0.1 and earlier
CVE Number: CVE-2012-3241
====================================================================
OVERVIEW
------------
A security vulnerability has been identified in Eucalyptus 3.0.1 and
earlier. An update is now available that resolves this issue. We advise
immediately updating all affected Eucalyptus installations following the
instructions below.
DESCRIPTION
-------------
VMware Broker is an optional Eucalyptus component activated only in
versions of Eucalyptus with VMware support. Broker enables
Eucalyptus to deploy virtual machines on VMware hypervisors
(ESX/ESXi) either directly or through VMware vCenter. A flaw
was found in the way VMware Broker authenticates SOAP
requests. An attacker could submit a SOAP request to VMware
Broker and execute commands supported by the VMware Broker API.
SOLUTION
-------------
Eucalyptus versions 3.0.2 and 3.1.0 resolve this issue.
Please see http://www.eucalyptus.com/download/eucalyptus
for instructions on downloading and upgrading to the latest
Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at security@eucalyptus.com.
