ESA-02: SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-02: SOAP interfaces vulnerable to XML Signature Element Wrapping
        attacks

====================================================================
Eucalyptus Security Advisory

Advisory ID:                    ESA-02
Date:                           5-25-2011
Severity:                       Critical
Access type:                    Remote
Affected Versions:              Eucalyptus EE 2.0.1,
                                Eucalyptus 2.0.2 and earlier
CVEs:                           CVE-2011-0730
====================================================================

OVERVIEW
- --------

A security vulnerability has been identified in Eucalyptus EE 2.0.1,
Eucalyptus 2.0.2 and earlier.  An update is now available that resolves
this issue. We advise immediately updating all affected Eucalyptus
installations following the instructions below.

DESCRIPTION
- -----------

This vulnerability allows an unauthenticated remote attacker who has
access to the network traffic between authenticated user and a Eucalyptus
installation, to modify intercepted SOAP requests and submit arbitrary
commands to the Eucalyptus SOAP interface in the context of the
authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk,
Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability,
thereby giving us all the needed details to produce the current release.

SOLUTION 
-  --------

Eucalyptus EE 2.0.2 and Eucalyptus 2.0.3 resolves this issue.

INSTRUCTIONS 
- ------------

To update Eucalyptus EE 2.0 installations to Eucalyptus EE 2.0.2:

1. Download the updated Eucalyptus software from this location:

http://www.eucalyptussoftware.com/downloads/products/eee/

2. Next, follow the Eucalyptus EE 2.0 series upgrade instructions for your
   particular distribution, as shown in the EE 2.0 Administrator's Guide:

   http://www.eucalyptus.com/resources/documentation


To update Eucalyptus 2.0 installations to Eucalyptus 2.0.3:

1. Download the updated Eucalyptus software from this location:

http://open.eucalyptus.com/download

2. Next, follow the Eucalyptus 2.0 series upgrade instructions for your
   particular distribution, as shown here:

http://open.eucalyptus.com/wiki/EucalyptusUpgrade_v2.0

UPDATED PACKAGES
- ----------------

Eucalyptus EE:
eucalyptus-centos-i386-2.0.2eee.tar.gz          MD5:e28c6c476782f8797e8a322c9bcfe269
eucalyptus-centos-x86_64-2.0.2eee.tar.gz        MD5:6bd250db20a9c692f19b2e04f659c9db
eucalyptus-deps-centos-i386-2.0.2eee.tar.gz     MD5:99f3a1e1f2714e087d4a9aa523d3b688
eucalyptus-deps-centos-x86_64-2.0.2eee.tar.gz   MD5:fd6a5ac4dcd906bfb602ec09eca6cca7
eucalyptus-deps-opensuse-i586-2.0.2eee.tar.gz   MD5:a5215c66d59879ec14d48e920955ec83
eucalyptus-deps-opensuse-x86_64-2.0.2eee.tar.gz MD5:1ba8422634aa6c608e898dfa3001392b
eucalyptus-opensuse-i586-2.0.2eee.tar.gz        MD5:2c1f74a714890772fc64b412605fabb0
eucalyptus-opensuse-x86_64-2.0.2eee.tar.gz      MD5:2f11b11a2c2bdde6b8bbf36d219e13bc

Eucalyptus:
eucalyptus-2.0.3-centos-i386.tar.gz             MD5:698cd38e34158c42c15150e1d89872e7
eucalyptus-2.0.3-centos-x86_64.tar.gz           MD5:0f03a29e4cdc05f9eb293eb9bc2e26bd
eucalyptus-2.0.3-fedora-i386.tar.gz         MD5:7dc1c610a969a4010bac003858d601a7
eucalyptus-2.0.3-fedora-x86_64.tar.gz           MD5:6bced857d66d10a82392d298085982de
eucalyptus-2.0.3-opensuse-i386.tar.gz           MD5:bfa715f8908c0b147fc032c4293bdd1f
eucalyptus-2.0.3-opensuse-x86_64.tar.gz         MD5:d000e024286e454f9d9366c1b3100d5a
eucalyptus-2.0.3-squeeze.tar.gz             MD5:3551a2a6802b643bcc735845c6a1ea36
eucalyptus-2.0.3-src-deps.tar.gz            MD5:aea055ab6e3fcb5d1e0b9702cf7b51f9
eucalyptus-2.0.3-src-offline.tar.gz         MD5:1dbef9620da90736637113108e8c3631
eucalyptus-2.0.3-src-online.tar.gz          MD5:e3f3ce2a9e110acadf3a0e88f45e19ba

ADDITIONAL INFORMATION
- ----------------------

Users running Ubuntu Enterprise Cloud powered by Eucalyptus (UEC) should
refer to the Ubuntu security announcement USN-1137-1.

http://www.ubuntu.com/usn/usn-1137-1.

CONTACT and HELP
- ----------------

Contact the Eucalyptus Security Team via email at security@eucalyptus.com.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJN7Zm8AAoJEAtWzWcVzgD8l+8IALaFurNeJ9kpTWMIY1Woev2g
+5tODitKbIFHLxkmXao0sUaFvzztq+GM0Bn3Mj9PUjnYIXM9AoFqgtN/GLuQxqZl
JCH7Q5Lt6n5Zryc2SG2LNcai4SmvAIRouvNyj0F1TrFf0G2lg50fXgjhCGK6slOk
T6wAMS52U01fwYpkB3kc7D6cbNU0hSrauY2c2966fOi6btg4QCc/SBMcaRrIz/co
ZVFK87JSpo/+IIF7Yjyw8dfdjWyxP9xPxuJd3ll8U9IV1+Oz7yD2e8uB/rhzCLZH
TAa1B3d9xEGsg6Wi2BcfAp94c1kUVMrjNHdnmgDQ+8ZVnpiOnun59EDOZ727fXg=
=dPUk
-----END PGP SIGNATURE-----