SOAP Interfaces Vulnerable to XML Signature Element Wrapping Attacks
A security vulnerability has been identified in Eucalyptus EE 2.0.1, Eucalyptus 2.0.2 and earlier. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations following the instructions below.
This vulnerability allows an unauthenticated remote attacker who has access to the network traffic between authenticated user and an Eucalyptus installation, to modify intercepted SOAP requests and submit arbitrary commands to the Eucalyptus SOAP interface in the context of the authenticated user. Special thanks to Juraj Somorovsky, Jörg Schwenk, Meiko Jensen and Xiaofeng Lou who warned us about this vulnerability, thereby giving us all the needed details to produce the current release.
Eucalyptus EE 2.0.2 and Eucalyptus 2.0.3 resolves this issue.
To update Eucalyptus EE 2.0 installations to Eucalyptus EE 2.0.2:
- Download the updated Eucalyptus software from http://downloads.eucalyptus.com/software/eucalyptus/2.0.3/
Next, follow the Eucalyptus EE 2.0 series upgrade instructions for your particular distribution, as shown in the EE 2.0 Administrator's Guide at https://www.eucalyptus.com/docs
To update Eucalyptus 2.0 installations to Eucalyptus 2.0.3:
- Download the updated Eucalyptus software from https://www.eucalyptus.com/download/eucalyptus
- Next, follow the Eucalyptus 2.0 series upgrade instructions for your particular distribution, as shown at https://www.eucalyptus.com/eucalyptus-cloud/documentation/eucalyptus/2.0
Users running Ubuntu Enterprise Cloud powered by Eucalyptus (UEC) should refer to the Ubuntu security announcement USN-1137-1.
Contact and help
Contact the Eucalyptus security team at email@example.com.