ShapeBlue Security Advisory for CVE-2022-35741: XXE vulnerability in SAML 2.0 Service Provider Plugin for CloudStack

18 July 2022 13:30 UTC

Versions Affected

Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17)


Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled.


Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by default and is enabled by configuring the global setting saml2.enabled to true. Having this setting set to true in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. Tests have shown that this vulnerability can be exploited in Apache CloudStack (affected versions).


Operators of Apache CloudStack environments based on affected versions that do NOT use SAML 2 authentication should:

  • Check the global setting saml2.enabled is set to false and restart all the CloudStack management server(s). Or,
  • Install the appropriate Security Patch.

Operators of Apache CloudStack environments based on affected versions that do use SAML 2 authentication should:

  • Set the global setting saml2.enabled to false and restart all the CloudStack management server(s). This will disable SAML 2 plugin and the single-sign-on authentication. Operators should use an alternative authentication mechanism until a Security Patch is available. Or,
  • Install the appropriate Security Patch.


The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XML external entity (XXE) injection attacks.

XXE is a type of web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Resolution: Security Patch

ShapeBlue, along with the Apache CloudStack community have released security patches for both 4.16 and 4.17 LTS branches that fix this issue. Further ShapeBlue has released customer security patches on the 4.15 branch.

The list of fixes that were made in these patches can be found here:

These 4.15, 4.16, and 4.17 patches are available in ShapeBlue repositories, please refer to for usage. To apply these patches, use the ShapeBlue CloudStack repositories to upgrade packages on the management server.

Further information

For ShapeBlue support customers, please contact the support team for further information. For other CloudStack users, please use the community mailing lists.


Related Posts:

Apache CloudStack enables existing VMware users and gives an easy way for service providers to migrate to a fully open-source solution and eliminate vendor dependency.