SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks
A security vulnerability has been identified in HP Helion Eucalyptus EE 2.0.1, HP Helion Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected HP Helion Eucalyptus installations following the instructions below.
This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and an HP Helion Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the HP Helion Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.
HP Helion Eucalyptus EE 2.0.2 and HP Helion Eucalyptus 2.0.3 resolves this issue.
To update HP Helion Eucalyptus EE 2.0 installations to HP Helion Eucalyptus EE 2.0.2:
- Download the updated HP Helion Eucalyptus software from http://downloads.eucalyptus.com/software/eucalyptus/2.0.3/
Next, follow the HP Helion Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide at https://www.eucalyptus.com/docs
To update HP Helion Eucalyptus 2.0 installations to HP Helion Eucalyptus 2.0.3:
- Download the updated HP Helion Eucalyptus software from https://www.eucalyptus.com/download/eucalyptus
- Next, follow the HP Helion Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown at https://www.eucalyptus.com/eucalyptus-cloud/documentation/eucalyptus/2.0
Users running Ubuntu Enterprise Cloud powered by HP Helion Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.
Contact and help
Contact the HP Helion Eucalyptus security team at email@example.com.