Walrus is a storage service included with Eucalyptus. It supports an internal REST API that is used by Eucalyptus components to access data stored on Walrus. The internal message protocol did not require all supported request headers to be signed. This flaw allowed intercepted internal requests to Walrus to be modified to manipulate (in a limited way) data stored on Walrus. Modified requests could be used to perform tasks including deleting or uploading snapshots. Links: http://www.eucalyptus.com/eucalyptus-cloud/security/esa-08 https://eucalyptus.atlassian.net/browse/EUCA-3112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4066
Builds for testing: http://koji.fedoraproject.org/koji/taskinfo?taskID=5065358
Thanks for this report. I'm turning this into an SRT bug as it looks like this affects more than just Fedora.
Created eucalyptus tracking bugs for this issue Affects: fedora-18 [bug 917851]
This is fixed via: euca2ools-2.1.3-1.fc18 euca2ools-2.1.3-1.fc17 euca2ools-2.1.3-1.el5 euca2ools-2.1.3-1.el6 eucalyptus in Fedora is pending.
eucalyptus-3.2.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Is there any reason to keep this open? The F18 eucalyptus package was pushed a couple of weeks ago, and rawhide & F19 will have eucalyptus 3.3
This flaw does not affect the jclouds Eucalyptus API as shipped with JBoss Fuse 6.0.0 and Fuse ESB Enterprise 7.1.0.