Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30154
HistoryJan 08, 2014 - 12:00 a.m.

[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when destroying a DigitalOcean node

2014-01-0800:00:00
vulners.com
22

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

[CVE-2013-6480] Libcloud doesn't send scrub_data query parameter when
destroying a DigitalOcean node

Severity: Low

Vendor: Apache Software Foundation

Project: Apache Libcloud (http://libcloud.apache.org/)

Affected Versions: Apache Libcloud 0.12.3 to 0.13.3 (version prior to
0.12.3 don't include a DigitalOcean driver)

Description:

DigitalOcean recently changed the default API behavior from scrub to
non-scrub when destroying a VM.

Libcloud doesn't explicitly send "scrub_data" query parameter when
destroying a node. This means nodes which are destroyed using Libcloud
are vulnerable to later customers stealing data contained on them.

Note: Only users who are using DigitalOcean driver are affected by this issue.

References:

Mitigation:

This vulnerability has been fixed in version 0.13.3. Users who use
DigitalOcean driver are strongly encouraged to upgrade to this
release.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQJ8BAEBCgBmBQJSxEgAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5OTc4MjhEQzYyRjc1OUNFQTE4OUQ2NUUy
QzA3NTRCMkNFMDY5MkYzAAoJECwHVLLOBpLzbRcQAJqSobMiGfjpBQCGhda8zW62
6aPEjyuStv9FZ0/eLN6bxPCV8LdxOYy6M1oehr3ntT56Dd/lZ9+gwJunTH3UqWmq
ZqiwmME8JLhNTLC8tab+yE82lQlck2iXgTaJ5pZfXELFPiTEZ+DAQN26CpkA8bLO
cXAlMJkskPS6BkkgLDtLfO9RHe8T0QsEcHxQSwCpursiIlQEfjG3tQqG21KEvSm6
Q31qv87cZrG2pQPXEQ7Ir59E7Yos/7vEnG57wY/Xj94wKeKpHxnBUUL37BW+/tb1
qP29zZUol628HxowsGCN7xJPlXrcc4wc37rWja/UTcBWZGUk4EKTX9xXVs1jKuPB
lJqlGkEHglRcFI1AJLv9VkPBj77z6aEFu89bbJn8aZwAmPwnIBLZiJGp0LvqlVap
RYgV8SdLb1D4GxTDJJN76PLghMJdo1mEUwLbinr8JGH/MXzTkTUwgMCv7ks8ww7Q
hZp40rKDY+Su7VML6ONcnnvZTlAxCJM2lexD0svV8e3oXf/8lUzlnHCHQH8/TIrV
6DV4mj7Yg+HiR9Tj8+AMAAmC5l88Byl/+sJjAEdWBTKjzwiey5ocDX5s/aL12o+9
JX7vnFOWaGWf0pMeGuCl2gqtG+jFoEkr7BU7d0k7TvVFTQ0jTrrhVv9rbdIiJbK4
HXvdPzy/CBQt0tUGc6UT
=8Jgs
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:30154