The Apache CloudStack project has announced an advisory against CVE-2024-42062 and CVE-2024-42222, both of severity rating ‘critical’, explained below.
CVE-2024-42062: User Key Exposure to Domain Admins
CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to access permission validation issue that affects Apache CloudStack versions 4.10.0 upto 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment including that of a root admin. An attacker who has domain admin access, can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure.
CVE-2024-42222: Unauthorised Network List Access
In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data.
Credit
The CVEs are credited to the following reporters:
- CVE-2024-42062:
- Fabricio Duarte
- CVE-2024-42222:
- Christian Gross of Netcloud AG
- Midhun Jose
Affected Versions
- CVE-2024-42062 affects the following versions:
- Apache CloudStack 4.10.0 through 4.18.2.2
- Apache CloudStack 4.19.0.0 through 4.19.1.0
- CVE-2024-42222 affect the following version:
- Apache CloudStack 4.19.1.0
Resolution
ShapeBlue, along with the Apache CloudStack community have released security releases 4.18.2.3 and 4.19.1.1 to address the CVEs listed above. Users are recommended to upgrade to version 4.18.2.3, 4.19.1.1 or later, which addresses these issues. Additionally, users on a version older than 4.19.1.0 are advised to skip 4.19.1.0 and upgrade to 4.19.1.1 instead. To maintain the security of their environment, users are advised to regenerate all existing user keys. For users who are unable to upgrade, may review and disable domain admin accounts in their environments and/or block access of the getUserKeys for all non-Admin roles.
Please refer to https://www.shapeblue.com/cloudstack-packages/ for usage of ShapeBlue provided 4.18-based and 4.19-based LTS security patch releases. To apply these patches, use the ShapeBlue CloudStack 4.18 or 4.19 repositories to upgrade packages on the management server hosts and the KVM hosts.
Further information
For ShapeBlue support customers, please get in touch with the support team for further information. For other CloudStack users, please use the community mailing lists.
Rohit Yadav oversees the Software Engineering function at ShapeBlue, providing leadership and mentorship to our ever-growing Engineering Team. He has been a PMC member of the project since 2015. Rohit is the author & maintainer of the CloudStack CloudMonkey project and has been instrumental in the development of many of CloudStack’s flagship features. Rohit regularly speaks at events, focussing on developer access to the project, and has also mentored Google Summer of Code students.