ESA-01: Password Reset Vulnerability


==================================================================
Eucalyptus Security Advisory

Advisory ID:            ESA-01
Date:                   12-16-2010
Severity:               Critical
Access type:            Remote
Affected Versions:      Eucalyptus 2.0.0; Eucalyptus 2.0.1  
CVEs:                   CVE-2010-3905
==================================================================

OVERVIEW
--------

A security vulnerability has been identified in Eucalyptus versions 2.0.0
and 2.0.1.  An update is now available that resolves this issue. We advise
immediately updating all affected Eucalyptus installations following the
instructions below.

DESCRIPTION
-----------

An unauthenticated remote attacker could issue password reset requests to
gain access to a Eucalyptus system and potentially obtain admin
privileges.


SOLUTION 
--------

Eucalyptus 2.0.2 resolves this issue (see instructions below).

INSTRUCTIONS 
------------

To update Eucalyptus 2.0.0 or 2.0.1 to Eucalyptus 2.0.2:

1. Download the updated Eucalyptus software from this location:

http://open.eucalyptus.com/download

2. Next, follow the Eucalyptus 2.0 series upgrade instructions for your
   particular distribution, as shown here:

http://open.eucalyptus.com/wiki/EucalyptusUpgrade_v2.0

UPDATED PACKAGES
----------------

eucalyptus-2.0.2-centos-i386.tar.gz MD5: 413856848c9748daa457cbb551e31ad2  
eucalyptus-2.0.2-centos-x86_64.tar.gz   MD5: e89c38e87da4995feb3d123b360f5ee8
eucalyptus-2.0.2-fedora-i386.tar.gz MD5: 433cfd577106a1cfbbbddcb3e9eb325f  
eucalyptus-2.0.2-fedora-x86_64.tar.gz   MD5: 188e7bd3f621f0bd42912ddd80632f8c  
eucalyptus-2.0.2-opensuse-i386.tar.gz   MD5: 2456c2d96478cb6e3a99968c65de75b9  
eucalyptus-2.0.2-opensuse-x86_64.tar.gz MD5: 1f2426b1fbc67005a057ea2055a22bab  
eucalyptus-2.0.2-squeeze.tar.gz     MD5: d0199e5851b2f6e8606c2632405cc2a1  
eucalyptus-2.0.2-src-deps.tar.gz    MD5: d5a0e643502e01a56558f329f7fe950e  
eucalyptus-2.0.2-src-offline.tar.gz MD5: b304305b6839f0ed3a4397bbc40c3972  
eucalyptus-2.0.2-src-online.tar.gz  MD5: 03af41e42fdc0e64c9f4bb15cfc70794  

ADDITIONAL INFORMATION
----------------------

Users running Eucalyptus on Ubuntu should refer to the Ubuntu security
announcement USN-1033-1:

http://www.ubuntu.com/usn/usn-1033-1

CONTACT and HELP
----------------

Contact the Eucalyptus Security Team via email at security@eucalyptus.com.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNClnZAAoJEAtWzWcVzgD8UV8H/i4HYcwXAlH5mR9dJJ7q0Lg/
0H+gCezrOX6boTRDQ06i/0KhTaud8pXu7l8Ob3+Z/LmOpYlCBm7tChY1QeKtyZ6P
lxNsf3ciDewS/juPJblgaUen4Qavw/mH+ko1VigFNQmdAGDDEHjN0weBGaQbLUa+
nTBbM6sivbP0ZN3XtxI1s3wqwWglj20PHqvbjbHLVSqsWvR37JYYNwLCphZlY+om
cGOSIKP2gpOnSXv4w6s9UiVQg2R1A0C295b3SqKD8PVmhKN4MhZt0hWC0cD5XYOp
dkNPYBa3q3M8qeeqjGNiw/5nJeCa7v4IrUdqv6rNZYSUaTkTGTuQfNi4ZZ1Tnbc=
=SWFE
-----END PGP SIGNATURE-----