Apache CloudStack project has announced the release of LTS security releases 4.18.2.4 and 4.19.1.2 to address four security vulnerabilities
The most severe vulnerability, CVE-2024-45219 with a CVSS score of 8.5, could allow attackers to compromise KVM-based infrastructure. This vulnerability stems from a lack of validation checks, enabling attackers to deploy malicious instances or attach compromised volumes to gain access to host filesystems.
The advisory states, Uploaded and registered templates and volumes can be used to abuse KVM-based infrastructure. This could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.
The second high severity flaw, CVE-2024-45693 with a CVSS score of 8.0, involves a request origin validation bypass that could lead to account takeover. Attackers could trick logged-in users into submitting malicious requests, potentially granting access to sensitive data and control over the user’s resources.
Other two medium severity vulnerabilities were also patched:
- CVE-2024-45461 with a CVSS score of 5.7: Access checks not enforced in the Quota feature, potentially allowing unauthorized modification of quota configurations.
- CVE-2024-45462 with a CVSS score of 6.3 : Incomplete session invalidation on web interface logout, enabling unauthorized access if a user’s browser session remains active.
The Apache CloudStack project strongly recommends that users upgrade to versions 4.18.2.4 or 4.19.1.2 to mitigate these vulnerabilities. The advisory also provides detailed instructions on how to scan and validate templates and volumes to ensure they are not compromised.
Fro more information refer to the advisory
