Apache CloudStack Patches Critical Security Flaws in Latest Release

The Apache CloudStack project has announced the release of LTS security releases 4.18.2.4 and 4.19.1.2 to address four security vulnerabilities, including two rated as “Important.” CloudStack is a popular open-source platform used to build and manage Infrastructure-as-a-Service (IaaS) clouds.

The most severe vulnerability, CVE-2024-45219, could allow attackers to compromise KVM-based infrastructure. “Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure,” the advisory warns. This vulnerability stems from a lack of validation checks, enabling attackers to deploy malicious instances or attach compromised volumes to gain access to host filesystems.

“This could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack,” the project explains.

Another “Important” flaw, CVE-2024-45693, involves a request origin validation bypass that could lead to account takeover. Attackers could trick logged-in users into submitting malicious requests, potentially granting access to sensitive data and control over the user’s resources.

Two “Moderate” severity vulnerabilities were also patched:

• CVE-2024-45461: Access checks not enforced in the Quota feature, potentially allowing unauthorized modification of quota configurations.
• CVE-2024-45462: Incomplete session invalidation on web interface logout, enabling unauthorized access if a user’s browser session remains active.

Mitigation

The Apache CloudStack project strongly recommends that users upgrade to versions 4.18.2.4 or 4.19.1.2 to mitigate these vulnerabilities. The advisory also provides detailed instructions on how to scan and validate templates and volumes to ensure they are not compromised.

“Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features,” the advisory states.

Related Posts:

• Critical Security Advisory for Apache CloudStack: CVE-2024-38346 and CVE-2024-39864
• Apache CloudStack Releases Critical Patches (CVE-2024-42062 and CVE-2024-42222)
• Apache CloudStack Releases Critical Security Patches – Update Immediately
• CVE-2024-41107: Apache CloudStack Vulnerability Exposes User Accounts to Compromise