Apache CloudStack project announces the release of LTS security releases 4.18.2.3 and 4.19.1.1 that address CVE-2024-42062 and CVE-2024-42222, both of severity rating 'critical', explained below.
## CVE-2024-42062: User Key Exposure to Domain Admins CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the purpose of API-based automation and integrations. Due to access permission validation issue that affects Apache CloudStack versions 4.10.0 upto 4.19.1.0, domain admin accounts were found to be able to query all registered account-users API and secret keys in an environment including that of a root admin. An attacker who has domain admin access, can exploit this to gain root admin and other-account privileges and perform malicious operations that can result in compromise of resources integrity and confidentiality, data loss, denial of service and availability of CloudStack managed infrastructure. ## CVE-2024-42222: Unauthorised Network List Access In Apache CloudStack 4.19.1.0, a regression in the network listing API allows unauthorised list access of network details for domain admin and normal user accounts. This vulnerability compromises tenant isolation, potentially leading to unauthorised access to network details, configurations and data. # Credits The CVEs are credited to the following reporters: ## CVE-2024-42062: Fabricio Duarte ## CVE-2024-42222: Christian Gross of Netcloud AG Midhun Jose # Affected versions: ## CVE-2024-42062: Apache CloudStack 4.10.0 through 4.18.2.2 Apache CloudStack 4.19.0.0 through 4.19.1.0 ## CVE-2024-42222: Apache CloudStack 4.19.1.0 # Resolution Users are recommended to upgrade to version 4.18.2.3, 4.19.1.3 or later, which addresses these issues. Additionally, users on a version older than 4.19.1.0 are advised to skip upgrading to 4.19.1.0. To maintain the security of their environment, users are advised to regenerate all existing user keys. # Downloads and Documentation The official source code for the 4.18.2.3 and 4.19.1.1 releases can be downloaded from the project downloads page: https://cloudstack.apache.org/downloads The 4.18.2.3 and 4.19.1.1 release notes can be found at: - https://docs.cloudstack.apache.org/en/4.18.2.3/releasenotes/about.html - https://docs.cloudstack.apache.org/en/4.19.1.1/releasenotes/about.html In addition to the official source code release, individual contributors have also made release packages available on the Apache CloudStack download page, and available at: - https://download.cloudstack.org/el/7/ - https://download.cloudstack.org/el/8/ - https://download.cloudstack.org/el/9/ - https://download.cloudstack.org/suse/15/ - https://download.cloudstack.org/ubuntu/dists/ - https://www.shapeblue.com/cloudstack-packages/