Apache CloudStack project has released patches for addressing two critical vulnerabilities, that could allow attackers to gain unauthorized access to sensitive information and compromise the integrity of CloudStack-managed infrastructure.
The first vulnerability tracked as CVE-2024-42062, a Key Exposure Risk that stemmed due to an access permission validation issue, domain admin accounts can query all registered API and secret keys of account users, including those of root admins. This exposure allows attackers with domain admin access to escalate their privileges, potentially leading to malicious operations such as data compromise, integrity breaches, and denial of service.
The first vulnerability tracked as CVE-2024-42222, an unauthorized Network Access that stemmed due to a regression in the network listing API in Apache CloudStack 4.19.1.0 could allow unauthorized users to access network details, posing a significant risk to tenant isolation and data confidentiality.
To address these critical vulnerabilities, users are strongly advised to upgrade to Apache CloudStack versions 4.18.2.3 or 4.19.1.1. Users on older versions should skip 4.19.1.0 and directly upgrade to 4.19.1.1. As a precautionary measure, it is recommended that all existing user keys be regenerated.
👍👍