osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ANNOUNCE][SECURITY] CloudStack 4.9.3.1 Robot TLS attack


All,

On private@ and security@, we discussed and worked on a fix for robot TLS
[1] attack and released CloudStack 4.9.3.1. The issue does not affect the
latest 4.11.0.0 version and does not require any upgrades/fixes/changes in
that regard.

The issue primarily affects installations that are using an older version
of bouncycastle, the only change we did against the 4.9.3.0 release was to
upgrade the bouncycastle dependency version [2] 1.59. Post upgrade to
4.9.3.1 from 4.9.3.0, users will be required to destroy old CPVMs and SSVMs
(new ones will be patched by a newer systemvm.iso that will have the v1.59
bc dependency jar), and upgrade and restart KVM agent(s) and management
server(s).

Download page:
http://cloudstack.apache.org/downloads.html

Release notes for 4.9.3.1:
http://docs.cloudstack.apache.org/projects/cloudstack-release-notes/en/4.9.3.1/

[1] robotattack.org
[2]
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c

Regards,
Rohit Yadav