Page tree
Skip to end of metadata
Go to start of metadata

SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks 



Description

SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks

Severity LevelCRITICAL
Issue Date2011-05-25
Last Updated2011-05-25
Affected ProductsHP Helion Eucalyptus EE 2.0.1, HP Helion Eucalyptus 2.0.2 and earlier
CVE NumberCVE-2011-0730 

 

 

Overview

A security vulnerability has been identified in HP Helion Eucalyptus EE 2.0.1, HP Helion Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected HP Helion Eucalyptus installations following the instructions below.

Description

This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and an HP Helion Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the HP Helion Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.

Solution

HP Helion Eucalyptus EE 2.0.2 and HP Helion Eucalyptus 2.0.3 resolves this issue.


Instructions

To update HP Helion Eucalyptus EE 2.0 installations to HP Helion Eucalyptus EE 2.0.2:

  1. Download the updated HP Helion Eucalyptus software from http://downloads.eucalyptus.com/software/eucalyptus/2.0.3/
  2. Next, follow the HP Helion Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide at https://www.eucalyptus.com/docs

To update HP Helion Eucalyptus 2.0 installations to HP Helion Eucalyptus 2.0.3:

  1. Download the updated HP Helion Eucalyptus software from https://www.eucalyptus.com/download/eucalyptus
  2. Next, follow the HP Helion Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown at https://www.eucalyptus.com/eucalyptus-cloud/documentation/eucalyptus/2.0

Additional Information

Users running Ubuntu Enterprise Cloud powered by HP Helion Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.

http://www.ubuntu.com/usn/usn-1137-1.

Contact and help

Contact the HP Helion Eucalyptus security team at euca-security@hp.com.