This is an automated email from the ASF dual-hosted git repository.
dahn pushed a commit to branch staging-site
in repository https://gitbox.apache.org/repos/asf/cloudstack-www.git
The following commit(s) were added to refs/heads/staging-site by this push:
new 93446c7de Advisory for the security fixes in LTS releases 4.20.2.0 &
4.22.0.0 (#389)
93446c7de is described below
commit 93446c7de99929da1675534bce840642bb157641
Author: Harikrishna <[email protected]>
AuthorDate: Thu Nov 27 18:57:49 2025 +0530
Advisory for the security fixes in LTS releases 4.20.2.0 & 4.22.0.0 (#389)
---
.../banner.jpg | Bin 0 -> 217582 bytes
.../index.md | 82 +++++++++++++++++++++
2 files changed, 82 insertions(+)
diff --git a/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg
b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg
new file mode 100644
index 000000000..f1c11f86d
Binary files /dev/null and
b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg differ
diff --git a/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md
b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md
new file mode 100644
index 000000000..913608ca9
--- /dev/null
+++ b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md
@@ -0,0 +1,82 @@
+---
+layout: post
+title: "[ADVISORY] Security Improvements in Apache CloudStack 4.20.2.0 and
4.22.0.0"
+tags: [announcement]
+authors: [harikrishna]
+slug: cve-advisories-4.20.2.0-4.22.0.0
+---
+
+[](/blog/lts-release-advisory-4.20.2.0-4.22.0.0)
+
+The Apache CloudStack project announces the LTS release of
[4.20.2.0](https://github.com/apache/cloudstack/releases/tag/4.20.2.0) and
[4.22.0.0](https://github.com/apache/cloudstack/releases/tag/4.22.0.0) that
address the following security issues:
+
+- CVE-2025-59302 (severity 'Low')
+- CVE-2025-59454 (severity 'Low')
+
+<!-- truncate -->
+
+## [CVE-2025-59302](https://www.cve.org/CVERecord?id=CVE-2025-59302):
Potential remote code execution on Javascript engine defined rules
+
+In Apache CloudStack, improper control of generation of code ('Code
Injection') vulnerability is found in the following APIs which are accessible
only to admins.
+
+- quotaTariffCreate
+- quotaTariffUpdate
+- createSecondaryStorageSelector
+- updateSecondaryStorageSelector
+- updateHost
+- updateStorage
+
+The fix introduces a new global configuration flag, js.interpretation.enabled,
allowing administrators to control the interpretation of JavaScript expressions
in these APIs, thereby mitigating the code injection risk.
+
+## [CVE-2025-59454](https://www.cve.org/CVERecord?id=CVE-2025-59454): Lack of
user permission validation leading to data leak for few APIs
+
+In Apache CloudStack, a gap in access control checks affected the APIs
+
+- createNetworkACL
+- listNetworkACLs
+- listResourceDetails
+- listVirtualMachinesUsageHistory
+- listVolumesUsageHistory
+
+While these APIs were accessible only to authorized users, insufficient
permission validation meant that users could occasionally access information
beyond their intended scope.
+
+## Credits
+
+The CVEs are credited to the following reporters:
+
+- CVE-2025-59302:
+ - Tianyi Cheng <[email protected]>
+
+- CVE-2025-59454:
+ - [email protected] <https://github.com/ai-bugreporter/Credits>
+
+## Affected versions:
+
+- CVE-2025-59302:
+ - Apache CloudStack 4.18.0.0 through 4.20.1.0 and 4.21.0.0
+
+- CVE-2025-59454:
+ - Apache CloudStack 4.0.0 through 4.20.1.0 and 4.21.0.0
+
+## Resolution
+
+Users are recommended to upgrade to version 4.20.2.0, 4.22.0.0 or later, which
addresses these issues.
+
+## Downloads and Documentation
+
+The official source code for the 4.20.2.0 and 4.22.0.0 releases can be
downloaded from the project [downloads page](/downloads).
+
+The 4.20.2.0 and 4.22.0.0 release notes can be found at:
+
+- https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes/about.html
+- https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes/about.html
+
+In addition to the official source code release, individual contributors have
also made release packages available on the Apache CloudStack download page,
and available at:
+
+- https://download.cloudstack.org/el/8/
+- https://download.cloudstack.org/el/9/
+- https://download.cloudstack.org/el/10/
+- https://download.cloudstack.org/suse/15/
+- https://download.cloudstack.org/ubuntu/dists/
+- https://download.cloudstack.org/debian/dists/
+- https://www.shapeblue.com/cloudstack-packages/
