Overview
Apache CloudStack project has issued an advisory against the following CVEs:
CVE-2024-29006: x-forwarded-for HTTP header parsed by default
Severity: moderate
Description: By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should an attacker decide to spoof their IP address this way.
Affected versions: Apache CloudStack 4.11.0.0 through 4.18.1.0, and 4.19.0.0
Credit: Yuyang Xiao < superxyyang@gmail.com > (finder)
CVE-2024-29007: When downloading templates or ISOs, the management server and SSVM follow HTTP redirects with potentially dangerous consequences
Severity: moderate
Affected versions: Apache CloudStack 4.9.1.0 through 4.18.1.0, and 4.19.0.0
Description: The CloudStack management server and secondary storage VM could be tricked into making requests to restricted or random resources by means of following 301 HTTP redirects presented by external servers when downloading templates or ISOs. Users are recommended to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.
Credit: Yuyang Xiao < superxyyang@gmail.com > (finder)
CVE-2024-29008: The extraconfig feature can be abused to load hypervisor resources on a VM instance
Severity: critical
Affected versions: Apache CloudStack 4.14.0.0 through 4.18.1.0, and 4.19.0.0
Description: A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature, which can be misused by anyone who has the privilege to deploy a VM instance or configure settings of an already deployed VM instance to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM-based CloudStack environment, an attacker can exploit this issue to attach host devices, such as storage disks, and PCI and USB devices, such as network adapters and GPUs, in a regular VM instance that can be further exploited to gain access to the underlying network and storage infrastructure resources and access any VM instance disks on the local storage.
Resolution
ShapeBlue, along with the Apache CloudStack community have released security releases 4.18.1.1 and 4.19.0.1 to address the CVEs listed above. Affected users are recommended to upgrade their CloudStack installations.
Please refer to https://www.shapeblue.com/packages for usage of ShapeBlue provided 4.18-based and 4.19-based security patch releases. To apply these patches, use the ShapeBlue CloudStack 4.18 or 4.19 repositories to upgrade packages on the management server and KVM hosts.
Further information
For ShapeBlue support customers, please contact the support team for further information. For other CloudStack users, please use the community mailing lists.
Ivet Petrova is the Marketing Director of ShapeBlue. She is responsible for strengthening ShapeBlue’s global brand and market awareness of ShapeBlue’s services. Specifically, Ivet’s team is responsible for brand, advertising, content and digital marketing, social media, and media relations.
