ESA-13: Unauthorized Access to CC/NC Log Files

ESA-13: Unauthorized Access to CC/NC Log Files

====================================================================
Eucalyptus Security Advisory

Advisory ID:                  ESA-13
Issue  Date:                  2013-08-27
Last Updated:                 2013-09-11
Severity Level:               Moderate
Affected Versions:            Eucalyptus 3.3.0 and earlier
CVE Number:                   CVE-2013-4766
====================================================================

OVERVIEW
------------

A vulnerability has been identified in Eucalyptus 3.3.0 and earlier. Anonymous/unauthenticated user could get access to log files of Cluster Controller (CC) and Node Controller (NC) components. An update is now available that resolves this issue.


DESCRIPTION
-------------

A flaw was identified in the implementation of gather log service on both the CC and the NC. An unauthenticated user with remote access to a CC or an NC could retrieve the component’s log files. This could lead to disclosure of information internal to Eucalyptus cloud.


SOLUTION
-------------

Eucalyptus version 3.3.1 resolves this issue.  Please see
http://www.eucalyptus.com/download/eucalyptus for instructions on
downloading and upgrading to the latest Eucalyptus software.



CONTACT and HELP
-------------

Contact the Eucalyptus Security Team at security@eucalyptus.com.