Description of Problem
A vulnerability has been identified in Citrix CloudPlatform, formerly known as Citrix CloudStack, that could allow an attacker to execute arbitrary commands within the multi-tenant environment.
This vulnerability has been assigned the following CVE number:
• CVE-2012-4501: Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs.
This vulnerability affects all versions of Citrix CloudPlatform up to and including version 3.0.5. Citrix CloudPlatform version 3.0.6 is not affected by this vulnerability.
Customers using Apache CloudStack 4.0 are not affected by this vulnerability.
What Customers Should Do
Citrix strongly recommends that customers apply the following workaround to their affected CloudPlatform deployments:
1. From the CloudPlatform database server console, log in to MYSQL:
[root@host] # mysql -u cloud -p <your-password> -h <host-ip-address>
2. Update the system account with a random password with the following SQL command:
Mysql> update `cloud`.`user` set password=RAND() where id=1;
3. Log out of MYSQL:
Note that the commands above need only be executed once and that no management server reboot is required.
What Citrix Is Doing
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to firstname.lastname@example.org stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.