In a recent blog post, CloudStack’s Joe Brockmeier acknowledged that a critical security flaw had been found in the open source cloud computing software. “A configuration vulnerability has been discovered in CloudStack that could allow a malicious user to execute arbitrary CloudStack API calls, such as deleting all VMs being managed by CloudStack,” Brockmeier wrote.
“Cloudstack is one of the largest open source cloud infrastructure management systems together with OpenStack and Eucalyptus,” writes CRN Australia’s Juha Saarinen. “Incubated by the Apache Software foundation, Cloudstack counts over 50 large organisations such as Intel, BT, Alcatel-Lucent, ActiveState and Tata Communications among its technology partners. In March this year, Citrix announced that it would abandon its OpenStack distribution in favour of the CloudStack operating system.”
“A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud.user account,” The H Security reports. “The Apache CloudStack code has been updated with a fix for the issue and it is believed that the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon.”