Vulnerabilities > CVE-2012-5616 - Credentials Management vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 57259 CVE(CAN) ID: CVE-2012-5616 Apache CloudStack是部署和管理大型虚拟机网络的开源软件。 Apache CloudStack 4.0.0-incubating及其他版本存在安全漏洞,本地用户可利用此漏洞泄露敏感信息。 1) createSSHKeyPair API命令内存在错误,此命令将新建的SSH密钥存储在日志文件中,可造成密钥泄露。 2)AddHost API呼叫将某些信息记录在日志文件内,可造成泄露已添加主机的密码。 3)DeployVM和ResetPasswordForVM API呼叫将某些信息记录在日志文件内,可造成泄露已添加VM的密码。 0 Apache Group CloudStack 4.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://httpd.apache.org/ |
| id | SSV:60586 |
| last seen | 2017-11-19 |
| modified | 2013-01-14 |
| published | 2013-01-14 |
| reporter | Root |
| title | Apache CloudStack本地信息泄露漏洞 |
References
- http://support.citrix.com/article/CTX136163
- http://www.securityfocus.com/bid/57259
- http://osvdb.org/89070
- http://www.securityfocus.com/bid/57225
- http://secunia.com/advisories/51821
- http://osvdb.org/89146
- http://seclists.org/fulldisclosure/2013/Jan/65
- http://osvdb.org/89147
- http://secunia.com/advisories/51827
- http://secunia.com/advisories/51366
- http://www.securitytracker.com/id?1027978
- http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E