Impact
The ZStack Cloud releases before 3.10.38(included) are vulnerable to unauthorized access.
Patches
The problem already patched in ZStack 3.10.40 and all further versions (ZStack Cloud 4.x are not vulnerable).
Workarounds
We strongly suggest users upgrade to patched versions.
If you have a Web Application Firewall(WAF), filter requests GET /calls/uuids could reduce the impact of this vulnerability.
if you do not have a WAF, iptables could be an alternative(make sure running bellow command on all management node)
iptables -I INPUT -i br_eth0 -p tcp --dport 5000 -m string --string "/calls/uuids" --algo kmp -j DROP
# replace br_eth0 and 5000 to corresponding network interface and port number
For more information
If you have any questions or comments about this advisory:
evilashz Reporter
Impact
The ZStack Cloud releases before 3.10.38(included) are vulnerable to unauthorized access.
Patches
The problem already patched in ZStack 3.10.40 and all further versions (ZStack Cloud 4.x are not vulnerable).
Workarounds
We strongly suggest users upgrade to patched versions.
If you have a Web Application Firewall(WAF), filter requests GET
/calls/uuidscould reduce the impact of this vulnerability.if you do not have a WAF, iptables could be an alternative(make sure running bellow command on all management node)
For more information
If you have any questions or comments about this advisory: