BugTraq
[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node Jan 01 2014 04:56PM
Tomaz Muraus (tomaz apache org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when
destroying a DigitalOcean node

Severity: Low

Vendor: Apache Software Foundation

Project: Apache Libcloud (http://libcloud.apache.org/)

Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to
0.12.3 don't include a DigitalOcean driver)

Description:

DigitalOcean recently changed the default API behavior from scrub to
non-scrub when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when
destroying a node. This means nodes which are destroyed using Libcloud
are vulnerable to later customers stealing data contained on them.

Note: Only users who are using DigitalOcean driver are affected by this issue.

References:

- - http://libcloud.apache.org/security.html
- - https://digitalocean.com/blog_posts/transparency-regarding-data-security

- - https://github.com/fog/fog/issues/2525

Mitigation:

This vulnerability has been fixed in version 0.13.3. Users who use
DigitalOcean driver are strongly encouraged to upgrade to this
release.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQJ8BAEBCgBmBQJSxEgAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OTc4MjhEQzYyRjc1OUNFQTE4OUQ2NUUy
QzA3NTRCMkNFMDY5MkYzAAoJECwHVLLOBpLzbRcQAJqSobMiGfjpBQCGhda8zW62
6aPEjyuStv9FZ0/eLN6bxPCV8LdxOYy6M1oehr3ntT56Dd/lZ9+gwJunTH3UqWmq
ZqiwmME8JLhNTLC8tab+yE82lQlck2iXgTaJ5pZfXELFPiTEZ+DAQN26CpkA8bLO
cXAlMJkskPS6BkkgLDtLfO9RHe8T0QsEcHxQSwCpursiIlQEfjG3tQqG21KEvSm6
Q31qv87cZrG2pQPXEQ7Ir59E7Yos/7vEnG57wY/Xj94wKeKpHxnBUUL37BW+/tb1
qP29zZUol628HxowsGCN7xJPlXrcc4wc37rWja/UTcBWZGUk4EKTX9xXVs1jKuPB
lJqlGkEHglRcFI1AJLv9VkPBj77z6aEFu89bbJn8aZwAmPwnIBLZiJGp0LvqlVap
RYgV8SdLb1D4GxTDJJN76PLghMJdo1mEUwLbinr8JGH/MXzTkTUwgMCv7ks8ww7Q
hZp40rKDY+Su7VML6ONcnnvZTlAxCJM2lexD0svV8e3oXf/8lUzlnHCHQH8/TIrV
6DV4mj7Yg+HiR9Tj8+AMAAmC5l88Byl/+sJjAEdWBTKjzwiey5ocDX5s/aL12o+9
JX7vnFOWaGWf0pMeGuCl2gqtG+jFoEkr7BU7d0k7TvVFTQ0jTrrhVv9rbdIiJbK4
HXvdPzy/CBQt0tUGc6UT
=8Jgs
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus