Shell Injection Vulnerability on NC
A vulnerability has been identified in Eucalyptus 3.0.0 through 3.3.1. An authenticated Eucalyptus user can execute potentially arbitrary shell commands with root privileges on Node Controller (NC) components. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations.
A flaw was identified in the implementation of the bundling instance functionality on NC hosts. A user with the permissions to bundle instances could manipulate input parameters when bundling an instance and execute potentially arbitrary shell commands on the NC with root privileges. This could lead to complete compromise of the NC and potentially allow access to data on EBS and Walrus.
If an immediate upgrade is not possible, existing installations can be protected from the vulnerability by disabling BundleInstance functionality (creation of EMIs from running Windows instances). To apply the workaround, perform the following on each of the CC hosts in your installation:
In /usr/lib64/axis2c/services/EucalyptusCC/services.xml remove the following consecutive three lines:
Restart the Cluster Controller service:
Eucalyptus version 3.3.2 resolves this issue.
Please see https://www.eucalyptus.com/download/eucalyptus for instructions on downloading and upgrading to the latest Eucalyptus software.
Contact and help
Contact the Eucalyptus security team at firstname.lastname@example.org.