Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication.
Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 184.108.40.206, 220.127.116.11, 18.104.22.168, or 22.214.171.124. These versions contain only security updates, and no other functionality change.
CloudStack versions 4.5.0 and newer with SAML authetication enabled.
What is ShapeBlue Doing
ShapeBlue has analysed the impact of this issue on Apache CloudStack (ACS). The issue only affects users of CloudStack version 4.5.0 and newer, who use CloudStack SAML plugin. The vulnerability allows an attacker to bypass SAML authentication and log in as a SAML user using any non-empty password. ShapeBlue discovered the issue, reported it to the CloudStack security team and created the necessary secuity pathces. We have since worked with the secuity team to create the security release(s) that all CloudStack operators are recommended to update to. It is also thought that this vulnerability affects commercial distributions of Apache CloudStack.
Security release upgrade procedure
Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 126.96.36.199, 188.8.131.52, 184.108.40.206, or 220.127.116.11. These versions contain only security updates, and no other functionality change. The rpm and debian packages are available from ShapeBlue’s CloudStack repositories that can be used by users to upgrade the cloudstack-management package and restart their management server(s) to fix the issue.
For ShapeBlue support customers, please contact the support team for further information.
For other CloudStack users, please use the community mailing lists.
For users of commerical distribution of Cloudstack, please contact your vendor