Apache CloudStack Releases Critical Patches (CVE-2024-42062 and CVE-2024-42222)
The Apache CloudStack project has issued an urgent security advisory, urging users to update their software immediately to address two critical vulnerabilities, CVE-2024-42062 and CVE-2024-42222. These vulnerabilities, found in versions 4.10.0 through 4.19.1.0, could allow attackers to gain unauthorized access to sensitive information and compromise the integrity of CloudStack-managed infrastructure.
Apache CloudStack is a robust open-source software system designed to deploy and manage extensive networks of virtual machines. As a highly available and scalable Infrastructure as a Service (IaaS) cloud computing platform, it supports numerous organizations in efficiently managing their cloud resources.
CVE-2024-42062: A Key Exposure Risk
Due to an access permission validation issue, domain admin accounts can query all registered API and secret keys of account users, including those of root admins. This exposure allows attackers with domain admin access to escalate their privileges, potentially leading to malicious operations such as data compromise, integrity breaches, and denial of service.
CVE-2024-42222: Unauthorized Network Access
A regression in the network listing API in Apache CloudStack 4.19.1.0 could allow unauthorized users to access network details, posing a significant risk to tenant isolation and data confidentiality.
Mitigation and Resolution
To address these critical vulnerabilities, users are strongly advised to upgrade to Apache CloudStack versions 4.18.2.3 or 4.19.1.1. Users on older versions should skip 4.19.1.0 and directly upgrade to 4.19.1.1. As a precautionary measure, it is recommended that all existing user keys be regenerated.
Related Posts:
- Apache CloudStack SAML Single Sign-On XXE Vulnerability
- Apache CloudStack Vulnerability Exposes User Accounts to Compromise
- Apache CloudStack Releases Critical Security Patches – Update Immediately
- Critical Security Advisory for Apache CloudStack
- Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
