lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 9 Jun 2016 06:49:29 -0700
From: John Kinsella <jlk@...che.org>
To: bugtraq@...urityfocus.com
Subject: CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

CVSS v2:
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Vendors:
The Apache Software Foundation
Accelerite, Inc

Versions affected:
CloudStack versions 4.5.0 and newer

Description:
Apache CloudStack contains an authentication module providing “single
sign-on” functionality via the SAML data format. Under certain
conditions, a user could manage to access the user interface without
providing proper credentials. As the SAML plugin is disabled by
default, this issue only affects installations that have enabled
and use SAML-based authentication.

Mitigation:
Users of Apache CloudStack using the SAML plugin should upgrade to
one of the following versions, based on which release they are
currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These
versions contain only security updates, and no other functionality
change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJXWNuFAAoJEOom9N0pCN7Sw8EP/0Q5YgomRGEocod2Cmlfd/E9
JKSBdt38hTclPXcdi3w/1Fq88l54erfHuPLPJObpsIR/vQGiOU0K9KkaO5jYDHtR
uFzb37PDzkR/x0tpfOvl1LqWOl89dSjF0qNAB8gi5ThqSWhBst70bjq0bR1aFxXx
I05JzZgD4eye+3tYRcVoFPOkbP7E5pWFtPo9LKUdRL4bfSwskB7d5MOGUoBMQfBb
vuMp7BikT3kMU7kiXNHKMCdd24iAQeiMOocZo7fPn70DiKANqLzinLxlWZHrd4Lh
IPO/m35s52tIVFxXAIF5N7ThAhOCoqQykxykCAgZN1Wi5444/bBJ/ppaP3StWq8i
gRTPzVYbniCTUfG4ynGZIwLwdDJxMb4M1kBdT3lpQWRhq24vE7/xSPANy8ipegvw
rZ8EYS0b0Ud4Bx60+L3rCMBJAwlSaddX/DDHaYUU8hxT5NRoK0eiWf9p4jd40Ob4
BYM/9mi4tv4Wq6tIEqSZfVMdNKgY3+0oBP5HEhEmXSk9Th0rNLySB7Xpix7dC5iF
4I0kpki8BFirE6rBGiKNARdXZJ9QTUTUG/wk1Ndgoe4kJG3PtR6PuY9DAWomqecz
aF/tmyIZXLeVEyZrS1rKLPlIjRHarALoQgB0Ln+UAhS0oyVJ5LrR4Ie70UDCMRNv
rNjki8AjTUnQarsp14lT
=+Tpv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ