Overview

What is ShapeBlue Doing

ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS). The issue only affects users of CloudStack version 4.5.0 and newer, who use CloudStack SAML plugin. The vulnerability allows an attacker to bypass SAML authentication and log in as a SAML user using any non-empty password. ShapeBlue discovered the issue, reported it to the CloudStack security team and created the necessary secuity pathces. We have since worked with the secuity team to create the security release(s) that all CloudStack operators are recommended to update to. It is also thought that this vulnerability affects commercial distributions of Apache CloudStack.

Security release upgrade procedure

Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These versions contain only security updates, and no other functionality change. The rpm and debian packages are available from ShapeBlue’s CloudStack repositories that can be used by users to upgrade the cloudstack-management package and restart their management server(s) to fix the issue.

Further information

For ShapeBlue support customers, please contact the support team for further information.

For other CloudStack users, please use the community mailing lists.

For users of commerical distribution of Cloudstack, please contact your vendor

Rohit Yadav

Rohit Yadav oversees the Software Engineering function at ShapeBlue, providing leadership and mentorship to our ever-growing Engineering Team. He has been a PMC member of the project since 2015. Rohit is the author & maintainer of the CloudStack CloudMonkey project and has been instrumental in the development of many of CloudStack’s flagship features. Rohit regularly speaks at events, focussing on developer access to the project, and has also mentored Google Summer of Code students.