Red Hat Bugzilla – Bug 916709
CVE-2012-4066 eucalyptus: Walrus Request Manipulation Vulnerability
Last modified: 2015-07-31 07:23:43 EDT
Walrus is a storage service included with Eucalyptus. It supports an
internal REST API that is used by Eucalyptus components to access data
stored on Walrus. The internal message protocol did not require all
supported request headers to be signed. This flaw allowed intercepted
internal requests to Walrus to be modified to manipulate (in a limited
way) data stored on Walrus. Modified requests could be used to perform
tasks including deleting or uploading snapshots.
Builds for testing:
Thanks for this report. I'm turning this into an SRT bug as it looks like this affects more than just Fedora.
Created eucalyptus tracking bugs for this issue
Affects: fedora-18 [bug 917851]
This is fixed via:
eucalyptus in Fedora is pending.
eucalyptus-3.2.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Is there any reason to keep this open? The F18 eucalyptus package was pushed a couple of weeks ago, and rawhide & F19 will have eucalyptus 3.3
This flaw does not affect the jclouds Eucalyptus API as shipped with JBoss Fuse 6.0.0 and Fuse ESB Enterprise 7.1.0.