Critical Security Advisory for Apache CloudStack: CVE-2024-38346 and CVE-2024-39864

CVE-2024-38346 & CVE-2024-39864

The Apache Software Foundation has issued an urgent security advisory, disclosing two critical vulnerabilities (CVE-2024-38346 and CVE-2024-39864) affecting the widely used open-source cloud computing platform, Apache CloudStack. These vulnerabilities pose a significant risk to organizations utilizing CloudStack for managing their virtualized infrastructure.

CVE-2024-38346 & CVE-2024-39864

Unauthenticated Cluster Service Port (CVE-2024-38346)

The first vulnerability, tracked as CVE-2024-38346, resides in the CloudStack cluster service, which operates on an unauthenticated port (default 9090). Malicious actors can exploit this flaw to execute arbitrary commands on targeted hypervisors and CloudStack management server hosts. In the worst-case scenario, attackers could gain full control over the compromised CloudStack environment, leading to data breaches, service disruptions, and potential financial losses.

Dynamic Port Assignment in Disabled Integration API Service (CVE-2024-39864)

The second vulnerability, identified as CVE-2024-39864, affects the CloudStack integration API service. When disabled, this service should not be accessible; however, due to an improper initialization logic, it listens on a random port. Attackers who can access the CloudStack management network can identify this random port and leverage it to carry out unauthorized administrative actions and even execute remote code on CloudStack managed hosts. This vulnerability further amplifies the risk of a complete infrastructure compromise.

Affected Versions and Urgent Call for Action

Versions 4.0.0 through 4.18.2.0 and 4.19.0.0 through 4.19.0.1 of Apache CloudStack are vulnerable to these critical flaws. The Apache Software Foundation strongly recommends immediate upgrades to versions 4.18.2.1 or 4.19.0.2, which contain patches to mitigate the identified vulnerabilities.

For organizations unable to upgrade immediately, the following temporary measures are advised:

  • Restrict Network Access: Limit access to the cluster service port (default 9090) on CloudStack management server hosts to only their peer management servers.
  • Minimize Exposed Ports: Restrict network access on CloudStack management server hosts to only essential ports.