ESA-13: Unauthorized Access to CC/NC Log Files ==================================================================== Eucalyptus Security Advisory Advisory ID: ESA-13 Issue Date: 2013-08-27 Last Updated: 2013-09-11 Severity Level: Moderate Affected Versions: Eucalyptus 3.3.0 and earlier CVE Number: CVE-2013-4766 ==================================================================== OVERVIEW ------------ A vulnerability has been identified in Eucalyptus 3.3.0 and earlier. Anonymous/unauthenticated user could get access to log files of Cluster Controller (CC) and Node Controller (NC) components. An update is now available that resolves this issue. DESCRIPTION ------------- A flaw was identified in the implementation of gather log service on both the CC and the NC. An unauthenticated user with remote access to a CC or an NC could retrieve the component’s log files. This could lead to disclosure of information internal to Eucalyptus cloud. SOLUTION ------------- Eucalyptus version 3.3.1 resolves this issue. Please see http://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software. CONTACT and HELP ------------- Contact the Eucalyptus Security Team at firstname.lastname@example.org.