HP Helion Eucalyptus Security Advisory
Advisory ID: 
ESA-02
Severity Level: 
Critical
Issue Date: 
2011-05-25
Last Updated: 
2011-05-25
Affected Products: 
HP Helion Eucalyptus EE 2.0.1, HP Helion Eucalyptus 2.0.2 and earlier

Overview

A security vulnerability has been identified in HP Helion Eucalyptus EE 2.0.1, HP Helion Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected HP Helion Eucalyptus installations following the instructions below.

Description

This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and an HP Helion Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the HP Helion Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.

Solution

HP Helion Eucalyptus EE 2.0.2 and HP Helion Eucalyptus 2.0.3 resolves this issue.

Instructions

To update HP Helion Eucalyptus EE 2.0 installations to HP Helion Eucalyptus EE 2.0.2:

  1. Download the updated HP Helion Eucalyptus software from this location:

http://downloads.eucalyptus.com/software/eucalyptus/2.0.3/

  1. Next, follow the HP Helion Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide:

https://www.eucalyptus.com/docs

To update HP Helion Eucalyptus 2.0 installations to HP Helion Eucalyptus 2.0.3:

  1. Download the updated HP Helion Eucalyptus software from this location:

https://www.eucalyptus.com/download/eucalyptus

  1. Next, follow the HP Helion Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown here:

https://www.eucalyptus.com/eucalyptus-cloud/documentation/eucalyptus/2.0

Updated packages

HP Helion Eucalyptus EE:

eucalyptus-centos-i386-2.0.2eee.tar.gz MD5:e28c6c476782f8797e8a322c9bcfe269 eucalyptus-centos-x86_64-2.0.2eee.tar.gz MD5:6bd250db20a9c692f19b2e04f659c9db eucalyptus-deps-centos-i386-2.0.2eee.tar.gz MD5:99f3a1e1f2714e087d4a9aa523d3b688 eucalyptus-deps-centos-x86_64-2.0.2eee.tar.gz MD5:fd6a5ac4dcd906bfb602ec09eca6cca7 eucalyptus-deps-opensuse-i586-2.0.2eee.tar.gz MD5:a5215c66d59879ec14d48e920955ec83 eucalyptus-deps-opensuse-x86_64-2.0.2eee.tar.gz MD5:1ba8422634aa6c608e898dfa3001392b eucalyptus-opensuse-i586-2.0.2eee.tar.gz MD5:2c1f74a714890772fc64b412605fabb0 eucalyptus-opensuse-x86_64-2.0.2eee.tar.gz MD5:2f11b11a2c2bdde6b8bbf36d219e13bc

HP Helion Eucalyptus:

eucalyptus-2.0.3-centos-i386.tar.gz MD5:698cd38e34158c42c15150e1d89872e7 eucalyptus-2.0.3-centos-x86_64.tar.gz MD5:0f03a29e4cdc05f9eb293eb9bc2e26bd eucalyptus-2.0.3-fedora-i386.tar.gz MD5:7dc1c610a969a4010bac003858d601a7 eucalyptus-2.0.3-fedora-x86_64.tar.gz MD5:6bced857d66d10a82392d298085982de eucalyptus-2.0.3-opensuse-i386.tar.gz MD5:bfa715f8908c0b147fc032c4293bdd1f eucalyptus-2.0.3-opensuse-x86_64.tar.gz MD5:d000e024286e454f9d9366c1b3100d5a eucalyptus-2.0.3-squeeze.tar.gz MD5:3551a2a6802b643bcc735845c6a1ea36 eucalyptus-2.0.3-src-deps.tar.gz MD5:aea055ab6e3fcb5d1e0b9702cf7b51f9 eucalyptus-2.0.3-src-offline.tar.gz MD5:1dbef9620da90736637113108e8c3631 eucalyptus-2.0.3-src-online.tar.gz MD5:e3f3ce2a9e110acadf3a0e88f45e19ba

Additional Information

Users running Ubuntu Enterprise Cloud powered by HP Helion Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.

http://www.ubuntu.com/usn/usn-1137-1.

Contact and help

Contact the HP Helion Eucalyptus security team at euca-security@hp.com.