Citrix and the Apache Software Foundation have alerted users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. The vulnerability affects all versions of Cloudstack prior to October 7, including the Citrix commercial version.

Vulnerability could allow an attacker to take a number of unwanted actions, including deleting all of the virtual machines on a system. There are no known exploits at this time, Details of the issue were disclosed on Sunday.

Cloudstack is one of the largest open source cloud infrastructure management systems together with OpenStack and Eucalyptus. Mitigation against the vulnerability is possible by logging into the Cloudstack MySQL database, disabling the system user and setting a random password.

"The CloudStack PPMC was notified of a configuration vulnerability that exists in development versions of the Apache Incubated CloudStack project. This vulnerability allows a malicious user to execute arbitrary CloudStack API calls. A malicious user could, for example, delete all VMs in the system. Addressing this issue is especially important for anybody using CloudStack in a public environment," John Kinsella wrote in a report on the bug.
The Hacker News

The Apache CloudStack code has been updated with a fix for the issue and it is believed that the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon.

In March this year, Citrix announced that it would abandon its OpenStack distribution in favour of the CloudStack operating system.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.