The Apache Software Foundation has released patches for two critical vulnerabilities affecting the widely used open-source cloud computing platform, Apache CloudStack. These vulnerabilities pose a significant risk to organizations utilizing CloudStack for managing their virtualized infrastructure.
Unauthenticated Cluster Service Port
The vulnerability, tracked as CVE-2024-38346, resides in the CloudStack cluster service, which operates on an unauthenticated port (default 9090). Threat actors can exploit this flaw to execute arbitrary commands on targeted hypervisors and CloudStack management server hosts and can gain full access to the services.
Dynamic Port Assignment in Disabled Integration API Service
The vulnerability tracked as CVE-2024-39864, affects the CloudStack integration API service. When disabled, this service should not be accessible; however, due to an improper initialization logic, it listens on a random port. Attackers who can access the CloudStack management network can identify this random port and leverage it to carry out unauthorized administrative actions and even execute remote code on CloudStack managed hosts.
Versions starting from 4.0.0 through 4.18.2.0 and 4.19.0.0 through 4.19.0.1 of Apache CloudStack are vulnerable to these critical flaws. The Apache Software Foundation strongly recommends immediate upgrades to versions 4.18.2.1 or 4.19.0.2, which contain patches to mitigate the identified vulnerabilities.
