Apache CloudStack Releases Critical Security Patches – Update Immediately

The Apache Software Foundation has issued security releases 4.18.1.1 and 4.19.0.1 for its popular cloud management platform, Apache CloudStack. These releases address three vulnerabilities, one rated ‘critical,’ that could allow attackers to bypass authentication, redirect traffic, and potentially gain control of underlying infrastructure.

Vulnerabilities and Impact

• CVE-2024-29006 (Moderate): Unrestricted parsing of the X-Forwarded-For HTTP header within CloudStack’s management server could lead to API request source IP spoofing, potentially enabling authentication bypass and further exploitation.
• CVE-2024-29007 (Moderate): By following malicious HTTP redirects during template or ISO downloads, CloudStack’s management server and secondary storage virtual machines (SSVMs) could be tricked into making unauthorized requests, potentially exposing sensitive resources.
• CVE-2024-29008 (Critical): CloudStack’s “extraconfig” VM configuration feature, even if disabled, can be abused to load hypervisor resources onto a virtual machine. In KVM environments, this grants attackers the ability to attach host devices, potentially compromising network and storage infrastructure, and gaining access to VM disks.

Affected Versions

• CVE-2024-29006: Apache CloudStack 4.11.0.0 through 4.18.1.0, and 4.19.0.0
• CVE-2024-29007: Apache CloudStack 4.9.1.0 through 4.18.1.0, and 4.19.0.0
• CVE-2024-29008: Apache CloudStack 4.14.0.0 through 4.18.1.0, and 4.19.0.0

Call to Action

CloudStack administrators are strongly urged to upgrade to versions 4.18.1.1 or 4.19.0.1 without delay. The critical severity of CVE-2024-29008 highlights the risk of potential infrastructure takeover if left unpatched.

Additional Considerations

While these vulnerabilities are significant, it’s important to remember that proactive patching is a fundamental aspect of cloud security. Regular updates and vulnerability scanning help maintain a robust defense against evolving threats.