May 25, 2011 — The Eucalyptus team is pleased to announce the release of Eucalyptus
2.0.3. This update resolves the security issue identified in [ESA-02](http://open.eucalyptus.com/wiki/esa-02): SOAP interfaces vulnerable to XML
Signature Element Wrapping attacks.
This vulnerability allows an unauthenticated remote attacker who has
access to the network traffic between authenticated user and a Eucalyptus
installation, to modify intercepted SOAP requests and submit valid
commands to the Eucalyptus SOAP interface. Special thanks to Juraj
Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who alerted
us to this vulnerability, thereby giving us all the needed details to produce
the current release.
This release tightens the WS-Security policy employed by the Eucalyptus
components and updates Rampart, the security module Eucalyptus uses to
implement WS-Security. These changes adjust replay detection and
timestamp validation rules. **Notice:** As a results of these changes,
users may experience failures when issuing the same command in rapid
succession, since Eucalyptus may now interpret them as a replay attack.
For client tools and libraries, including current versions of euca2ools
and boto, inserting a one second delay when issuing the same command is
enough to avoid this issue.
For more information on our security policy and security contacts, please
visit our [Security Information](http://open.eucalyptus.com/wiki/security) page.
