Summary: The Apache CloudStack project has released LTS security updates to address four vulnerabilities, including two rated as “Important,” with the most severe allowing potential compromise of KVM-based infrastructure. Users are urged to upgrade to the latest versions to mitigate these risks.
Threat Actor: Unknown | unknown
Victim: Apache CloudStack Users | apache cloudstack users
Key Point :
- Release of LTS security versions 4.18.2.4 and 4.19.1.2 to address vulnerabilities.
- CVE-2024-45219 allows attackers to compromise KVM-based infrastructure through malicious templates and volumes.
- CVE-2024-45693 enables account takeover via request origin validation bypass.
- Two moderate vulnerabilities involve unauthorized quota modifications and incomplete session invalidation.
- Users are strongly advised to upgrade to the latest versions and follow provided mitigation instructions.
The Apache CloudStack project has announced the release of LTS security releases 4.18.2.4 and 4.19.1.2 to address four security vulnerabilities, including two rated as “Important.” CloudStack is a popular open-source platform used to build and manage Infrastructure-as-a-Service (IaaS) clouds.
The most severe vulnerability, CVE-2024-45219, could allow attackers to compromise KVM-based infrastructure. “Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure,” the advisory warns. This vulnerability stems from a lack of validation checks, enabling attackers to deploy malicious instances or attach compromised volumes to gain access to host filesystems.
“This could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack,” the project explains.
Another “Important” flaw, CVE-2024-45693, involves a request origin validation bypass that could lead to account takeover. Attackers could trick logged-in users into submitting malicious requests, potentially granting access to sensitive data and control over the user’s resources.
Two “Moderate” severity vulnerabilities were also patched:
- CVE-2024-45461: Access checks not enforced in the Quota feature, potentially allowing unauthorized modification of quota configurations.
- CVE-2024-45462: Incomplete session invalidation on web interface logout, enabling unauthorized access if a user’s browser session remains active.
Mitigation
The Apache CloudStack project strongly recommends that users upgrade to versions 4.18.2.4 or 4.19.1.2 to mitigate these vulnerabilities. The advisory also provides detailed instructions on how to scan and validate templates and volumes to ensure they are not compromised.
“Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features,” the advisory states.
Related Posts:
Source: https://securityonline.info/apache-cloudstack-patches-critical-security-flaws-in-latest-release