VULNERABILITIES / FIXES - October 25, 2013
by Carol~ - 10/25/13 10:34 AM
Eucalyptus Bundle Instance Functionality Shell Command Injection Vulnerability
Release Date : 2013-10-25
Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status: Vendor Patch
Software: Eucalyptus 3.x
A vulnerability has been reported in Eucalyptus, which can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to an error in the bundling instance functionality and can be exploited to inject and execute arbitrary shell commands with root privileges on Node Controller (NC) components and subsequently gain access to data on EBS and Walrus.
Successful exploitation requires bundle instances permissions.
The vulnerability is reported in versions 3.0.0 through 3.3.12.
Update to version 3.3.2.
Provided and/or discovered by:
Reported by the vendor.