The CloudStack security team recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions 4.8.1.1 and 4.9.0.1 with patches for this issue. More details about the release can be read on the official announcement post.

The first Apache CloudStack™ Collab conference of 2016 on June 1-3 2016 in beautiful Montreal, Canada. This conference is aimed at developers, operators and users to discuss and evolve the open source software project, its functionality and real world operability. Part talks, part workshops, part hackathon, this event will present a great opportunity for attendees and sponsors alike. CloudOps is thrilled to host this conference at its event space, Centre cloud.ca in the heart of the city.

Today I sent out two CloudStack-related security advisories: CVE-2015-3251 (related to VM credential exposure) and CVE-2015-3252 (related to VNC authentication). Details about these issues can be found on the CloudStack user and dev mailing lists, as well as on the Full Disclosure and BUGTRAQ security mailing lists.

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today the availability of Apache™ CloudStack™ v4.6, the turnkey Open Source cloud computing software platform used for creating private-, public-, and hybrid cloud environments.

Apache CloudStack clouds enable billions of dollars' worth of business transactions annually across their clouds, and its maturity and stability has led it to has become the Open Source platform for many service providers to set up on-demand, elastic public cloud computing services, as well as enterprises and others to set up a private or hybrid cloud for use by their own employees.

"This 4.6 release of Apache CloudStack marks a significant shift in how we release CloudStack," said Sebastien Goasguen, Vice President of Apache CloudStack. "With a focus on quality and speed of releasing software, we implemented a new release workflow which allows us to have a production-ready release branch all the time, and allows us to quickly release new features. From now on, CloudStack will be released much faster without regression and with increased quality in each version."

Recognized as the Cloud orchestration platform that "just works", CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources.

CloudStack v4.6 reflects dozens of new features and improvements, including:

• NuageVsp Network Plugin
• Bind integration with Globo DNSAPI
• SAML 2.0 Plugin
• Managed storage for KVM
• Improved CloudByte Storage Plugin
• Use SSH for commands sent to Virtual-Router
• Baremetal Advanced Networking Support
• Instance Password Generation length can now be changed

A complete overview of all new enhancements are detailed in the project release notes

CloudStack v4.6 reflects more than 200 bug fixes from previous releases.

Apache CloudStack is in use/production at thousands of organizations worldwide that includes BIT.Group GmbH, BT Cloud, China Telecom, CloudOps, DATACENTER Services, DataCentrix, Datapipe, EVRY, Exaserve, Exoscale, IDC Frontier, iKoula, Imperial College, INRIA, KDDI, Korea Telecom, LeaseWeb, M5 Hosting Inc., Melbourne University, Reliable Networks, Redbridge, SafeSwiss Cloud, Schuberg Philis, ShapeBlue, Tranquil Hosting, Trader Media Group, University of Cologne, and the University of Sao Paulo, among others.

"With the 4.6 release the Apache CloudStack continues to mature adding important new functionality that will benefit CloudCentral's customers," said Kristoffer Sheather, Founder & Chief of Australian cloud services provider CloudCentral, who have been using Apache CloudStack since 2010. "The new Redundant Routers for Virtual Private Cloud (VPC) networks feature will ensure continuous availability of customer VPC networks, and Browser Based Template & Volume Upload will make it easier for our customers to import and use their choice of operating system ISO images and import VM templates from other cloud systems."

"CloudOps is very excited about the release of Apache CloudStack 4.6, which represents significant improvements in feature set and quality," said Ian Rae, CEO of CloudOps. "We are proud of our involvement in this landmark release and look forward to supporting our customers achieve operational success in upgrading to and operating clouds based on this release. Apache CloudStack is the best kept secret in open source cloud computing and has a global user base of cloud operators many of whom contribute to the project."

"The 4.6 release of Apache CloudStack brings new features and fixes bugs which are critical for our Aurora cloud offering at PCextreme," said Wido den Hollander, CEO of PCextreme. "We've worked hard with the community to get 4.6 released. The committers working at PCextreme resolved multiple issues and also introduced new features in CloudStack including a new StatsCollector output to Graphite and better support for CEPH. This new release allows us to grow our cloud even further."

"I'm very excited with launch of the Apache CloudStack version 4.6," said Cyrano Rizzo, CIO of the University of Sao-Paulo. "This version brought many new features and benefits, such as the case in resilience with the new redundant router for VPC, the capability to rapid deployment, demo and test to run the Apache CloudStack inside Docker that will speed the growth, the possibility to manage the resources with Graphite, the ease of upload templates and volumes, among many others, this version also brought many improvements, I'm very happy with one in particular that makes SAML plugin to production grade, this functionality is helping me to build a huge project called interCloud that intend to federate many public universities across the Brazil with Single Sign On."

Get Involved!

Apache CloudStack welcomes contribution and community participation through mailing lists as well as attending face-to-face MeetUps, developer trainings, and user events. Catch Apache CloudStack in action at the next CloudStack European User Group on 3 March 2016 in London

After reviewing CloudStack components and seeing Debian's advisory on CVE-2015-1793 (CloudStack's "system VM" is Debian based), it looks like CloudStack is not affected by this vulnerability.

Original post follows...

On the 9th of July, the OpenSSL project announced a high severity vulnerability within the OpenSSL library. While this particular vulnerability does not seem to affect SSL servers, there are security issues with SSL clients powered by OpenSSL. Because of this, we suspect there may be issues with parts of CloudStack which initiate SSL connections.

At this point we are still reviewing which particular versions of OpenSSL are used by different versions of CloudStack. Once this review is complete, we will further update the community and this post as to our next steps.

Yesterday, a buffer overflow vulnerability was announced in glibc that affects most current Linux distributions. In CloudStack, the system VMs contain a vulnerable version of glibc.

CloudStack community members have built an updated system VM template, which ShapeBlue is hosting at http://packages.shapeblue.com/systemvmtemplate/ (More information on the packages at http://shapeblue.com/packages).

For instructions on how to update the SystemVM template in CloudStack, see here.

For those who wish to patch their running system VMs, ssh into each one and run:

apt-mark hold openswan apt-get clean apt-get update && apt-get upgrade

After updating glibc, the system will need to be rebooted.

Information about how to connect to your System VMs is available here.

Other CloudStack-related systems may be affected!

Please review security updates from Linux distributions you use on your management server, storage systems, hypervisors, as well as other Linux VMs and bare-metal systems running in your environments. This post provides instructions for determining if a system is vulnerable, as well as patching directions for common Linux distributions.

The Apache CloudStack project is pleased to announce the 4.3.2 release of the CloudStack cloud orchestration platform. This is a minor release of the 4.3 branch which released on March 25, 2014. The 4.3.2 release contains more than 100 bug fixes since the 4.3.1 release. As a bug fix release, no new features are included in 4.3.2.

As a minor release it is a simple upgrade from 4.3.0 or 4.3.1 with no architectural changes.

Documentation

The 4.3.2 release notes includes full list of corrected issues as well as upgrade instructions from previous versions of Apache CloudStack. Please see the Release Notes for a full list of corrected issues and upgrade instructions.

http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.3.2/

The official installation, administration and API documentation for each release are available on our Documentation Page.

http://docs.cloudstack.apache.org/

Downloads

The official source code for the 4.3.2 release can be downloaded from our Downloads Page.

http://cloudstack.apache.org/downloads.html

About Apache CloudStack

Apache CloudStack is an integrated Infrastructure-as-a-Service (IaaS) software platform that allows users to build feature-rich public and private cloud environments. CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. The project became an Apache top level project in March 2013.

For additional marketing or communications information, please contact the marketing mailing list: marketing@cloudstack.apache.org

To learn how to join and contribute to the Apache CloudStack community please visit our website: cloudstack.apache.org

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Description:
Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user.

Mitigation:
Users of Apache CloudStack 4.4 and derivatives should update to the latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds.

Credit:
This issue was identified by the Citrix Security Team.

11 November 2014 —Apache CloudStack, the mature, turnkey Open Source cloud computing software platform used for creating private, public, and hybrid cloud environments, today announced Apache CloudMonkey v5.3.0, the latest feature release of its command line interface tool.

CloudMonkey is written in Python, and can be used both as an interactive shell and as a command line tool that simplifies CloudStack configuration and management.

Apache CloudMonkey v5.3.0 is the latest feature release of the 5.x line that was first released in September 2013. Some of the new features and changes include:

• Unicode support in CloudMonkey;
• Better autocompletion for API arguments, filter arguments and config options;
• Current server profile is displayed on the prompt;
• Changing server profile prints masked values of passwords and keys;
• New command line argument -d for display options such as default, json and table;
• New config option “verifysslcert” that enables/disables SSL certificate checking when making HTTP API calls;
• CloudMonkey outputs without color on terminal in non-interactive mode;
• Better error handling, errors written to stderr and non-zero exit codes in case of error;
• Several bugfixes related to networking, server profiles and unicode string handling

Downloads and Documentation​

The official source code for CloudMonkey v5.3.0 can be downloaded from http://cloudstack.apache.org/downloads.html. A community-maintained distribution is available at the Python Package Index (PyPi) at http://pypi.python.org/pypi/CloudMonkey/

CloudMonkey's usage is documented at https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+CloudMonkey+CLIPackage documentation can be found at http://pythonhosted.org/cloudmonkey/

Availability and Oversight​

As with all Apache products, CloudMonkey is released under the Apache License v2.0, and is overseen by a self-selected team of active contributors to the project. The Apache CloudStack Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.

About Apache CloudStack​

Apache CloudStack is a mature, turnkey integrated Infrastructure-as-a-Service (IaaS) Open Source software platform that allows users to build feature-rich public and private cloud environments. Hailed by Gartner Group as "a solid product", CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. CloudStack entered the Apache Incubator in April 2012 and became an Apache Top-level Project in March 2013. For downloads, documentation, and ways to become involved with Apache CloudStack, visit http://cloudstack.apache.org/ and https://twitter.com/CloudStack

The Apache CloudStack project announced the immediate availability of Apache CloudStack v4.4.1, the latest version of the turnkey Open Source cloud computing software platform used for creating private-, public-, and hybrid cloud environments.

Apache CloudStack clouds enable billions of dollars' worth of business transactions annually across their clouds, and its maturity and stability has led it to has become the Open Source platform for many service providers to set up on-demand, elastic public cloud computing services, as well as enterprises and others to set up a private or hybrid cloud for use by their own employees.

"We are delighted to be releasing version 4.4.1 of Apache CloudStack," said Giles Sirett, member of the Apache CloudStack Project Management Committee. "This latest version of CloudStack reflects months of hard work by our diverse developer community and brings even more features to help our service-provider and enterprise users enhance their cloud platforms. Apache CloudStack continues to grow in both deployments and developer community size, and is the platform of choice for thousands of organisations that need to build IaaS environments quickly and securely with a proven, production-grade, technology."

Lauded by Gartner Group, CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources.

CloudStack v4.4.1 reflects dozens of new features and improvements, including:

• Improved Storage Management
• Virtual Private Cloud tiers can now span guest networks across availability zones
• Support for VMware Distributed Resource Scheduler
• Improved Support for Hyper-V Zones, VPC and Storage Migration

A complete overview of all new enhancements can be found in the project release notes at http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.4.1/

CloudStack has been used by thousands of organizations worldwide and is in use/production at Alcatel-Lucent, Autodesk, BT Cloud, China Telecom, DATACAENTER Services, DataPipe, Edmunds.com, Exoscale, GreenQloud, Hokkaido University, IDC Frontier, Ikoula, KDDI, KT/Korea Telecom, LeaseWeb, NTT, Orange, PCextreme, Schuberg Philis, Shopzilla, Slovak Telekom, SunGard AS, Taiwan Mobile, Tata, Trader Media Group, TomTom, University of Melbourne, University of Sao Paolo, Verizon, WebMD and Zynga, among others.

CloudStack originated at Cloud.com, which was acquired by Citrix in 2011. CloudStack was submitted to the Apache Incubator in April 2012 and graduated as an Apache Software Foundation Top-level Project in March 2013.

Availability​

CloudStack v4.4.1 is available immediately as a free download from http://cloudstack.apache.org/downloads.html. Apache CloudStack software is released under the Apache License v2.0.

Governance and Oversight​

Apache CloudStack is overseen by a self-selected team of active contributors to the project. A Project Management Committee (PMC) guides the Project's day-to-day operations, including community development and product releases.

Get Involved!​

Apache CloudStack welcomes contribution and community participation through mailing lists as well as attending face-to-face MeetUps, developer trainings, and user events. Catch CloudStack in action at the CloudStack Collaboration Conference, the official user/developer conference of the Apache CloudStack community, 19-21 November 2014 in Budapest, Hungary @CCCEU14 and http://cloudstackcollab.org

About Apache CloudStack​

Apache CloudStack is a mature, turnkey integrated Infrastructure-as-a-Service (IaaS) Open Source software platform that allows users to build feature-rich public and private cloud environments. Hailed by Gartner Group as "a solid product", CloudStack includes an intuitive user interface and rich APIs for managing the compute, networking, software, and storage infrastructure resources. CloudStack entered the Apache Incubator in April 2012 and became an Apache Top-level Project in March 2013. For downloads, documentation, and ways to become involved with Apache CloudStack, visit http://cloudstack.apache.org/ and https://twitter.com/CloudStack

© The Apache Software Foundation. "Apache", "CloudStack", "Apache CloudStack", the Apache CloudStack logo, and the Apache CloudStack Cloud Monkey logo are registered trademarks or trademarks of The Apache Software Foundation. All other brands and trademarks are the property of their respective owners.