ESA-08: Walrus Request Manipulation Vulnerability
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-08
Date: 2013-02-28
Severity Level: Important
Affected Versions: Eucalyptus 3.2.0 and earlier
CVE Number: CVE-2012-4066
====================================================================
OVERVIEW
------------
A security vulnerability has been identified in the internal message
protocol used by Eucalyptus components to communicate with Walrus in
Eucalyptus 3.2.0 and earlier. An update is now available that resolves
this issue. We advise immediately updating all affected Eucalyptus
installations following the instructions below.
DESCRIPTION
-------------
Walrus is a storage service included with Eucalyptus. It supports an
internal REST API that is used by Eucalyptus components to access data
stored on Walrus. The internal message protocol did not require all
supported request headers to be signed. This flaw allowed intercepted
internal requests to Walrus to be modified to manipulate (in a limited
way) data stored on Walrus. Modified requests could be used to perform
tasks including deleting or uploading snapshots.
SOLUTION
-------------
Eucalyptus version 3.2.1 resolves this issue.
Please see http://www.eucalyptus.com/download/eucalyptus
for instructions on downloading and upgrading to the latest
Eucalyptus software.
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at security@eucalyptus.com.
