Page tree
Skip to end of metadata
Go to start of metadata

SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks 



Description

SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks

Severity LevelCRITICAL
Issue Date2011-05-25
Last Updated2011-05-25
Affected ProductsEucalyptus EE 2.0.1, Eucalyptus 2.0.2 and earlier
CVE NumberCVE-2011-0730 

 

 

Overview

A security vulnerability has been identified in Eucalyptus EE 2.0.1, Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations following the instructions below.

Description

This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and an Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.

Solution

Eucalyptus EE 2.0.2 and Eucalyptus 2.0.3 resolves this issue.


Instructions

To update Eucalyptus EE 2.0 installations to Eucalyptus EE 2.0.2:

  1. Download the updated Eucalyptus software from http://downloads.eucalyptus.com/software/eucalyptus/2.0.3/
  2. Next, follow the Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide at https://www.eucalyptus.com/docs

To update Eucalyptus 2.0 installations to Eucalyptus 2.0.3:

  1. Download the updated Eucalyptus software from https://www.eucalyptus.com/download/eucalyptus
  2. Next, follow the Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown at https://www.eucalyptus.com/eucalyptus-cloud/documentation/eucalyptus/2.0

Additional Information

Users running Ubuntu Enterprise Cloud powered by Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.

http://www.ubuntu.com/usn/usn-1137-1.

Contact and help

Contact the Eucalyptus security team at security@eucalyptus.com.