ShapeBlue Security Advisory for CVE-2022-35741: XXE vulnerability in SAML 2.0 Service Provider Plugin for CloudStack

18 July 2022 13:30 UTC Versions Affected Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17) Scope Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled. Summary Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by default and is enabled by configuring the global setting saml2.enabled to true. Having this setting set to true in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack […]

ShapeBlue Advisory on Libvirt 8+ Compatibility Issues with CloudStack

Overview As of the 4.15 release, CloudStack has supported various EL8 operating systems / hypervisors, namely RHEL 8, CentOS 8, Rocky Linux 8 (and in theory – as of CloudStack 4.16 – all other EL8 variants including e.g. Alma Linux 8) – for both management servers and hypervisors. Similarly, support for Ubuntu 20.04 was added as of CloudStack 4.15, and OpenSUSE as of 4.16. All these Linux systems worked fine as hypervisors, until libvirt was upgraded to version 8+. Effects on CloudStack Historically, CloudStack used to set 22-character VNC passwords for KVM Virtual Machines, and libvirt was silently trimming it […]

Machine Learning and Apache CloudStack | Case Studies

Introduction In this blog we discuss applications of machine learning (ML) in datacenters and how that might integrate with Apache CloudStack (ACS). We also try to identify various places in the lifecycle of datacentres where such tools can be helpful. With any datacentre deployment, the primary goal is to achieve efficient resource provisioning whilst also maintaining performance and availability. Datacentres have become complex and multidimensional, both in terms of software and hardware, and we should also consider a hybrid hosting character. Maintaining an optimal deployment with minimal downtime is consequently becoming more challenging with manual operations. Recent trends show some […]

ShapeBlue Security Advisory – Spectre and Meltdown patches in CloudStack 4.9 and 4.11

Overview At the beginning of 2018 a number of vulnerabilities were discovered which allow malicious user space processes to read kernel memory and malicious code in VM guests to read hypervisor memory. These vulnerabilities affect most CPU manufacturers – Intel, AMD, ARM, MIPS, etc. The vulnerabilities were nicknamed “Spectre” and “Meltdown” and are outlined in the following CVEs: Spectre variant 1 – Bounds Check Bypass: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 Spectre variant 2 – Branch Target Injection: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 Meltdown variant 3 – Rogue Data Cache Launch: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 From a CloudStack point of view the main affected components are the system VM templates. This advisory outlines the fix provided […]

ShapeBlue Security Advisory – DNSMasq Vulnerabilities

A number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.
This advisory explains their affect on CloudStack and how to patch CloudStack against these flaws.

Migration away from download.cloud.com to download.cloudstack.org may cause problems in exisiting cloudstack installations and versions

Background Cloudstack relies on a fixed download site when it fetches the built-in guest VM templates. That download site has historically been download.cloud.com and is being replaced by download.cloudstack.org. Download.cloudstack.org is now fully functional. The retirement date of download.cloud.com is unknown but expected to be imminent The issue & behaviour After the retirement of download.cloud.com, the following issues may be experienced: When installing CloudStack for the first time, failures will occur when downloading the built-in templates For existing installations of CloudStack, if administrators or users attempt to re-download a template (for example when creating a new zone) failures will occur. Versions […]

Shapeblue Security Advisory For CVE-2016-6813: Apache CloudStack registerUserKeys authorization vulnerability

Overview Apache CloudStack provides a registerUserKeys API that allows a user to create or recreate a secret key and an API key to use for authentication when using the CloudStack API. A malicious user can request this API action in conjunction with the ID of another CloudStack user/account.  The newly created or re-generated API keys for this other user would then be returned to the malicious user, giving them access the other user’s account and resources. The issue affects all users of CloudStack 4.1 and above. NOTE: In order to exploit this vulnerability the malicious user must themselves have authenticated API […]

Shapeblue Security Advisory For CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability

Overview Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These versions contain only security updates, and no other functionality change. Versions affected: CloudStack versions 4.5.0 and newer […]

Shapeblue Security Advisory for CVE-2015-0235, aka the Ghost vulnerability

Overview A vulnerability has been recently disclosed by Qualys that could result in a remote attacker being able to execute malicious instructions on vulnerable systems. The vulnerability affects Linux based operating systems. This is better known as GHOST ‘glibc’ vulnerability (CVE-2015-0235): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 What is ShapeBlue Doing ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS).  The download template functionality provided by the SSVM to the end user puts it at risk. Since it is a linux issue all the Apache CloudStack versions are affected.  An immediate fix would be to login into each SSVM and upgrade the glib package to the one that […]

Retirement of the realhostip.com Service

The realhostip.com service will be switched off on the 1st October 2014. Paul Angus looks at what it did, what effect the retirement will have and what you need to do to carry on working if you’re affected. What is realhostip.com? When you connect to the Console Proxy system VM or download a disk or ISO from the secondary storage VM you connect over a secure (https) connection. This is particularly important when you put in your password.  In order for this to be secure you need to connect to a URL which has a FQDN and have a certificate […]