CVE-2015-3252
critical
CVSS v3
9.8
CVSS v2
6.0
VIR risk
9.8
Description
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories
Vendor advisory: secalert@redhat.com — http://mail-archives.apache.org/mod_mbox/cloudstack-users/201602.mbox/%3C7508580E-3D83-49FD-BE6E-B329B0503130%40gmail.com%3E
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | cloudstack | {"endIncluding":"4.5.1"} | |
References
- http://mail-archives.apache.org/mod_mbox/cloudstack-users/201602.mbox/%3C7508580E-3D83-49FD-BE6E-B329B0503130%40gmail.com%3E
- http://www.securityfocus.com/archive/1/537459/100/0/threaded
- https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories
- http://mail-archives.apache.org/mod_mbox/cloudstack-users/201602.mbox/%3C7508580E-3D83-49FD-BE6E-B329B0503130%40gmail.com%3E
- http://www.securityfocus.com/archive/1/537459/100/0/threaded
- https://blogs.apache.org/cloudstack/entry/two_late_announced_security_advisories
CWEs
CWE-255
Verify integrity in audit chain (admin only). AS-IS.