Apache CloudStack Releases Critical Patches (CVE-2024-42062 and CVE-2024-42222)

by do son · August 7, 2024

CVE-2024-42062 and CVE-2024-42222 - Apache CloudStack

The Apache CloudStack project has issued an urgent security advisory, urging users to update their software immediately to address two critical vulnerabilities, CVE-2024-42062 and CVE-2024-42222. These vulnerabilities, found in versions 4.10.0 through 4.19.1.0, could allow attackers to gain unauthorized access to sensitive information and compromise the integrity of CloudStack-managed infrastructure.

Apache CloudStack is a robust open-source software system designed to deploy and manage extensive networks of virtual machines. As a highly available and scalable Infrastructure as a Service (IaaS) cloud computing platform, it supports numerous organizations in efficiently managing their cloud resources.

CVE-2024-42062: A Key Exposure Risk

Due to an access permission validation issue, domain admin accounts can query all registered API and secret keys of account users, including those of root admins. This exposure allows attackers with domain admin access to escalate their privileges, potentially leading to malicious operations such as data compromise, integrity breaches, and denial of service.

CVE-2024-42222: Unauthorized Network Access

A regression in the network listing API in Apache CloudStack 4.19.1.0 could allow unauthorized users to access network details, posing a significant risk to tenant isolation and data confidentiality.

Mitigation and Resolution

To address these critical vulnerabilities, users are strongly advised to upgrade to Apache CloudStack versions 4.18.2.3 or 4.19.1.1. Users on older versions should skip 4.19.1.0 and directly upgrade to 4.19.1.1. As a precautionary measure, it is recommended that all existing user keys be regenerated.