This is an automated email from the ASF dual-hosted git repository. dahn pushed a commit to branch 4.19.1.3 in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
commit 7c85574f54b340336a8c7216926e690cfeb7735d Author: Daan Hoogland <[email protected]> AuthorDate: Mon Nov 11 14:20:40 2024 +0100 CVE-2024-50386 --- .../banner.png | Bin 0 -> 595536 bytes .../index.md | 69 +++++++++++++++++++++ src/components/Releases/index.tsx | 2 + src/pages/downloads.mdx | 32 +++++----- src/pages/index.tsx | 8 +-- 5 files changed, 91 insertions(+), 20 deletions(-) diff --git a/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png new file mode 100644 index 000000000..bfc2de878 Binary files /dev/null and b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/banner.png differ diff --git a/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md new file mode 100644 index 000000000..e19979254 --- /dev/null +++ b/blog/2024-11-11-security-release-advisory-4.18.2.5-4.19.1.3/index.md @@ -0,0 +1,69 @@ +--- +layout: post +title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.18.2.5 and 4.19.1.3" +tags: [announcement] +authors: [gutoveronezi] +slug: security-release-advisory-4.18.2.5-4.19.1.3 +--- + +[](/blog/security-release-advisory-4.18.2.5-4.19.1.3) + +The Apache CloudStack project announces the release of LTS security releases [4.18.2.5](https://github.com/apache/cloudstack/releases/tag/4.18.2.5) and [4.19.1.3](https://github.com/apache/cloudstack/releases/tag/4.19.1.3) that address the following security issues: + +- CVE-2024-50386 (severity 'Important') + +<!-- truncate --> + +## [CVE-2024-50386](https://www.cve.org/CVERecord?id=CVE-2024-50386): Directly downloaded templates can be used to abuse KVM-based infrastructure + +Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of res [...] + +Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. + +Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a comprom [...] + +``` +for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done +``` + +For checking the whole template/volume features of each disk, operators can run the following command: + +``` +for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done +``` + +## Credits + +The CVEs are credited to the following reporters: + +- CVE-2024-50386: + - Kiran Chavala <[email protected]> (reporter) + +## Affected versions: + +- CVE-2024-50386: + - Apache CloudStack 4.0.0 through 4.18.2.4 + - Apache CloudStack 4.19.0.0 through 4.19.1.2 + +## Resolution + +Users are recommended to upgrade to version 4.18.2.5, 4.19.1.3 or later, which addresses this issue. Additionally, users on a version older than 4.19.1.0 are advised to skip 4.19.1.0 and upgrade to 4.19.1.3 instead. + +## Downloads and Documentation + +The official source code for the 4.18.2.5 and 4.19.1.3 releases can be downloaded from the project downloads page: + +https://cloudstack.apache.org/downloads + +The 4.18.2.5 and 4.19.1.3 release notes can be found at: +- https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes/about.html +- https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes/about.html + +In addition to the official source code release, individual contributors have also made release packages available on the Apache CloudStack download page, and available at: + +- https://download.cloudstack.org/el/7/ +- https://download.cloudstack.org/el/8/ +- https://download.cloudstack.org/el/9/ +- https://download.cloudstack.org/suse/15/ +- https://download.cloudstack.org/ubuntu/dists/ +- https://www.shapeblue.com/cloudstack-packages/ diff --git a/src/components/Releases/index.tsx b/src/components/Releases/index.tsx index d82d897bd..190efc703 100644 --- a/src/components/Releases/index.tsx +++ b/src/components/Releases/index.tsx @@ -1,12 +1,14 @@ import React from "react"; const versions = [ + '4.19.1.3', '4.19.1.2', '4.19.1.1', '4.19.1.0', '4.19.0.2', '4.19.0.1', '4.19.0.0', + '4.18.2.5', '4.18.2.4', '4.18.2.3', '4.18.2.2', diff --git a/src/pages/downloads.mdx b/src/pages/downloads.mdx index 8ff6b0fff..c30263d88 100644 --- a/src/pages/downloads.mdx +++ b/src/pages/downloads.mdx @@ -18,42 +18,42 @@ releases](https://github.com/apache/cloudstack/releases). ### Source Releases -Apache CloudStack's most recent release is `4.19.1.2`. This is current +Apache CloudStack's most recent release is `4.19.1.3`. This is current CloudStack LTS release. -<a className="button button--primary button--lg" href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2";>Get the 4.19.1.2 Source</a> +<a className="button button--primary button--lg" href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2";>Get the 4.19.1.3 Source</a> <a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a> -<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.asc";>PGP</a> -<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.19.1.2/apache-cloudstack-4.19.1.2-src.tar.bz2.sha512";>SHA512</a> +<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2.asc";>PGP</a> +<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.19.1.3/apache-cloudstack-4.19.1.3-src.tar.bz2.sha512";>SHA512</a> <br/><br/> -Full release notes can be found in the version [4.19.1.2 Release -Notes](https://docs.cloudstack.apache.org/en/4.19.1.2/releasenotes/) website. +Full release notes can be found in the version [4.19.1.3 Release +Notes](https://docs.cloudstack.apache.org/en/4.19.1.3/releasenotes/) website. Instructions for building from source and installing Apache CloudStack can be found in the [Installation -Guide](https://docs.cloudstack.apache.org/en/4.19.1.2/installguide/). +Guide](https://docs.cloudstack.apache.org/en/4.19.1.3/installguide/). Instructions for building from source and upgrading from a previous version of -CloudStack to Apache CloudStack 4.19.1.2 can be found in the upgrade section of +CloudStack to Apache CloudStack 4.19.1.3 can be found in the upgrade section of the Release Notes (see above). -The latest CloudStack LTS maintenance release is `4.18.2.4` as part of the +The latest CloudStack LTS maintenance release is `4.18.2.5` as part of the previous LTS release. -<a className="button button--primary button--lg" href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2";>Get the 4.18.2.4 Source</a> +<a className="button button--primary button--lg" href="http://www.apache.org/dyn/closer.lua/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2";>Get the 4.18.2.5 Source</a> <a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/KEYS";>KEYS</a> -<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.asc";>PGP</a> -<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.18.2.4/apache-cloudstack-4.18.2.4-src.tar.bz2.sha512";>SHA512</a> +<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2.asc";>PGP</a> +<a className="button button--secondary button--sm" href="https://downloads.apache.org/cloudstack/releases/4.18.2.5/apache-cloudstack-4.18.2.5-src.tar.bz2.sha512";>SHA512</a> <br/><br/> -Full release notes can be found in the version [4.18.2.4 Release -Notes](https://docs.cloudstack.apache.org/en/4.18.2.4/releasenotes/) website. +Full release notes can be found in the version [4.18.2.5 Release +Notes](https://docs.cloudstack.apache.org/en/4.18.2.5/releasenotes/) website. Instructions for building from source and installing Apache CloudStack can be found in the [Installation -Guide](https://docs.cloudstack.apache.org/en/4.18.2.4/installguide/). +Guide](https://docs.cloudstack.apache.org/en/4.18.2.5/installguide/). Instructions for building from source and upgrading from a previous version of -CloudStack to Apache CloudStack 4.18.2.4 can be found in the upgrade section of +CloudStack to Apache CloudStack 4.18.2.5 can be found in the upgrade section of the Release Notes (see above). ### Community Packages diff --git a/src/pages/index.tsx b/src/pages/index.tsx index 2c84a5e3a..15a879813 100644 --- a/src/pages/index.tsx +++ b/src/pages/index.tsx @@ -26,8 +26,8 @@ Apache CloudStack™ is an open-source software system designed to deploy and m <div className="center-buttons"> <a href="downloads" className="btn btn-light btn-size">Download</a> - <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/"; target="_blank" className="btn btn-outline-light btn-size">Documentation</a> - <p className="small mt-3">Apache CloudStack 4.19.1.2 is out!</p> + <a href="https://docs.cloudstack.apache.org/en/4.19.1.3/"; target="_blank" className="btn btn-outline-light btn-size">Documentation</a> + <p className="small mt-3">Apache CloudStack 4.19.1.3 is out!</p> </div> </div> <div className="col-lg-7"><img src="/img/CloudStack_monkey_cloud.png" className="img-fluid" alt=""/></div> @@ -219,10 +219,10 @@ specific infrastructure. <div className="col col-lg-5"> <h2 className="section-title mb-4 margin-second">Latest Release</h2> <div className="center-buttons"> - <p className="px18">Apache CloudStack 4.19.1.2 is out!<br/>This is the latest LTS release.</p> + <p className="px18">Apache CloudStack 4.19.1.3 is out!<br/>This is the latest LTS release.</p> <a href="downloads" className="btn btn-primary btn-size">Download</a> - <a href="https://docs.cloudstack.apache.org/en/4.19.1.2/"; target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a> + <a href="https://docs.cloudstack.apache.org/en/4.19.1.3/"; target="_blank" className="btn btn-outline-secondary btn-size">Documentation</a> </div> </div> <div className="col-lg-7"><img src="/img/CloudStack_release_illustration.png" className="img-fluid img-release" alt=""/></div>
