Eucalyptus before 3.1.1 does not properly restrict the binding of external SOAP web-services messages, which allows remote authenticated users to gain privileges by sending a message to (1) Cloud Controller or (2) Walrus with the internal message format and a modified user id.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Eucalyptus | Eucalyptus | * | 3.1.0 (including) |
| Eucalyptus | Eucalyptus | 1.0 (including) | 1.0 (including) |
| Eucalyptus | Eucalyptus | 1.1 (including) | 1.1 (including) |
| Eucalyptus | Eucalyptus | 1.2 (including) | 1.2 (including) |
| Eucalyptus | Eucalyptus | 1.3 (including) | 1.3 (including) |
| Eucalyptus | Eucalyptus | 1.4 (including) | 1.4 (including) |
| Eucalyptus | Eucalyptus | 1.5.1 (including) | 1.5.1 (including) |
| Eucalyptus | Eucalyptus | 1.5.2 (including) | 1.5.2 (including) |
| Eucalyptus | Eucalyptus | 1.6 (including) | 1.6 (including) |
| Eucalyptus | Eucalyptus | 1.6.2 (including) | 1.6.2 (including) |
| Eucalyptus | Eucalyptus | 2.0 (including) | 2.0 (including) |
| Eucalyptus | Eucalyptus | 2.0.0 (including) | 2.0.0 (including) |
| Eucalyptus | Eucalyptus | 2.0.1 (including) | 2.0.1 (including) |
| Eucalyptus | Eucalyptus | 2.0.2 (including) | 2.0.2 (including) |
| Eucalyptus | Eucalyptus | 2.0.3 (including) | 2.0.3 (including) |
| Eucalyptus | Eucalyptus | 3.0 (including) | 3.0 (including) |
| Eucalyptus | Eucalyptus | 3.0.1 (including) | 3.0.1 (including) |
| Eucalyptus | Eucalyptus | 3.1.1 (including) | 3.1.1 (including) |
| Eucalyptus | Ubuntu | lucid | * |
| Eucalyptus | Ubuntu | natty | * |
| Eucalyptus | Ubuntu | oneiric | * |
| Eucalyptus | Ubuntu | precise | * |
| Eucalyptus | Ubuntu | upstream | * |