Page tree
Skip to end of metadata
Go to start of metadata

Shell Injection Vulnerability on NC


Shell Injection Vulnerability on NC

Severity LevelCRITICAL
Issue Date2013-10-02
Last Updated2013-10-24
Affected ProductsEucalyptus 3.0.0 to Eucalyptus 3.3.1
CVE NumberCVE-2013-4767




A vulnerability has been identified in Eucalyptus 3.0.0 through 3.3.1. An authenticated Eucalyptus user can execute potentially arbitrary shell commands with root privileges on Node Controller (NC) components. An update is now available that resolves this issue. We advise immediately updating all affected Eucalyptus installations.


A flaw was identified in the implementation of the bundling instance functionality on NC hosts. A user with the permissions to bundle instances could manipulate input parameters when bundling an instance and execute potentially arbitrary shell commands on the NC with root privileges. This could lead to complete compromise of the NC and potentially allow access to data on EBS and Walrus.


If an immediate upgrade is not possible, existing installations can be protected from the vulnerability by disabling BundleInstance functionality (creation of EMIs from running Windows instances). To apply the workaround, perform the following on each of the CC hosts in your installation:


  1. In /usr/lib64/axis2c/services/EucalyptusCC/services.xml remove the following consecutive three lines:

    <operation name="BundleInstance">
    <parameter name="wsamapping">EucalyptusCC#BundleInstance</parameter>
  2. Restart the Cluster Controller service: 

    # service eucalyptus-cc restart


Eucalyptus version 3.3.2 resolves this issue.

Please see for instructions on downloading and upgrading to the latest Eucalyptus software.


Contact and help

Contact the Eucalyptus security team at