A vulnerability has been identified in HP Helion Eucalyptus 3.0.0 through 3.3.1. An authenticated HP Helion Eucalyptus user can execute potentially arbitrary shell commands with root privileges on Node Controller (NC) components. An update is now available that resolves this issue. We advise immediately updating all affected HP Helion Eucalyptus installations.
A flaw was identified in the implementation of the bundling instance functionality on NC hosts. A user with the permissions to bundle instances could manipulate input parameters when bundling an instance and execute potentially arbitrary shell commands on the NC with root privileges. This could lead to complete compromise of the NC and potentially allow access to data on EBS and Walrus.
If an immediate upgrade is not possible, existing installations can be protected from the vulnerability by disabling BundleInstance functionality (creation of EMIs from running Windows instances). To apply the workaround, perform the following on each of the CC hosts in your installation:
- In /usr/lib64/axis2c/services/EucalyptusCC/services.xml remove the following consecutive three lines:
<operation name="BundleInstance"> <parameter name="wsamapping">EucalyptusCC#BundleInstance</parameter> </operation>
- Restart the Cluster Controller service:
# service eucalyptus-cc restart
HP Helion Eucalyptus version 3.3.2 resolves this issue.
Please see https://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest HP Helion Eucalyptus software.
Contact and help
Contact the HP Helion Eucalyptus security team at email@example.com.