Security Information

We take the security requirements of our community very seriously. Community members can submit security-related questions and possible security issues to our security team. All reported security issues will be reviewed promptly. You can submit a report via email at security@eucalyptus.com or see our issue reporting page.

When a security issue has been verified, our security team assigns it a severity rating. Security issue severity ratings are as follows:

Critical: The security issue allows remote parties to gain cloud administrator privileges, and possibly an escalation to administrative user of the machine hosting Eucalyptus;
Moderate: The security issue allows for leaks of confidential data and/or possible privilege escalation (i.e, an approved cloud user may assume cloud administrator privileges);
Low: Any other security-related issue(s) that might be assigned a higher severity rating, but the exploitation of the issue requires unlikely conditions or configuration.

The team determines the access type required to exploit the vulnerability. Access types are defined as follows:

Local access: The attacker must have authenticated login access to the OS hosting the Eucalyptus components or must be an authenticated Eucalyptus user to exploit the vulnerability;
Remote access: The attacker DOES NOT need authenticated login access to the OS hosting the Eucalyptus components and DOES NOT need to be an authenticated Eucalyptus user to exploit the vulnerability.

The final step is the release of a Eucalyptus Security Advisory, which includes a severity rating, access type, description of the issue, and recommended solution. The solution could involve an upgrade of your installation or changes to your configuration that eliminate the security risk. To receive Eucalyptus Security Advisories via email, please subscribe to security-announce+subscribe@eucalyptus.com or see the listing below of all Eucalyptus Security Advisories.

Note: Please ensure that your spam filter will allow the above email addresses.

Eucalyptus Advisories are securely signed using the following key which you can download from Eucalyptus or from the public keyserver at pgp.mit.edu:

Download from: Eucalyptus
Download from pgp.mit.edu

The fingerprint of the key is: F800 B6B2 A021 824D 5D4B CCB5 0B56 CD67 15CE 00FC

Date	Advisory	CVEs	Description	Severity
Dec. 16, 2010	ESA-01	CVE-2010-3905	Password reset vulnerability	Critical
May 25, 2011	ESA-02	CVE-2011-0730	XML Signature Element Wrapping vulnerability	Critical

Contact our security team at security@eucalyptus.com.

To receive Security Advisories, please send an email to our mailing list at security-announce+subscribe@eucalyptus.com.

Attachment	Size
pubkey.txt	1.69 KB

	Corporate Home Open Source Home	Download Eucalyptus \| Contact Us \| Blog
	Learn What is Eucalyptus Cloud IT Roles Case Study: ECC Issue tracker Test Drive Community Cloud FastStart Download Read FAQs Presentations Security Information Guides... Administrator's Guide User's Guide Tools Participate Community Wiki Roadmaps Developers Forum Announcements Articles & Blogs Community Cloud General Discussion Site Feedback Support Questions Bug Tracker Planet Eucalyptus Blog Contact