Information Disclosure Vulnerability in CloudStack by Apache and Citrix
CVE-2012-5616

Currently unrated

Key Information:

Vendor: Citrix
Status: Cloudplatform; Cloudstack
Vendor: CVE Published:; 22 January 2013

Summary

An information disclosure vulnerability exists in Apache CloudStack and Citrix CloudPlatform, where sensitive information such as SSH private keys and passwords for hosts and VMs can be accessed by local users. This occurs due to the improper storage of crucial data in the log4j.conf file, which may allow unauthorized access to sensitive details through various APIs, including createSSHKeyPair, AddHost, DeployVM, and ResetPasswordForVM.

References

http://support.citrix.com/article/CTX136163

x_refsource_CONFIRM

http://osvdb.org/89146

vdb-entryx_refsource_OSVDB

http://seclists.org/fulldisclosure/2013/Jan/65

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability published
Jan 22, 2013
Vulnerability Reserved
Oct 24, 2012