CaféX Critical Issue Bulletin 013 - Vulnerability in Supervisor Assist and Chime OVAs


A critical security vulnerability has been found in the base operating system image that is used for all CafêX Chime and Supervisor Assist OVAs. This will affect all OVA-based installs of Supervisor Assist and Chime.


The base OVA image includes an OS user that was used by CafêX processes to launch VMs. An OS-level user was required that could execute commands as root in order to perform post-install functions.  If you know that the OS user exists and where to find the key, then you can get root access to the instance without requiring any further authentication.
It is highly unlikely that the SSH service is accessabile from outside of the green zone for any customer installs, but we view this is a serious security issue that needs to be resolved.
Please download a copy of the script from and execute it on your server (or request it from

scp -i server.pem

ssh -i server.pem

#sudo -s

#cp /home/user/ /root/

#chmod +x /root/

#cd /root

# ./ --yes

This script will forcibly delete the OS user and their home directory.
Have more questions? Submit a request