Apache Cloudstack Vulnerability Exposes API & Secret Keys to Admin Accounts

The Apache CloudStack venture has announced the originate of long-time interval crimson meat up (LTS) security updates, versions 4.18.2.3 and 4.19.1.1, which take care of two excessive vulnerabilities, CVE-2024-42062 and CVE-2024-42222.

These vulnerabilities pose basic risks to the integrity, confidentiality, and availability of CloudStack-managed infrastructure.

CVE-2024-42062: User Key Publicity to Arena Admins

CVE-2024-42062 is a excessive vulnerability that affects Apache CloudStack versions 4.10.0 as a lot as 4.19.1.0. In these versions, domain admin accounts can request all registered yarn users’ API and secret keys, including those of root admins.

This flaw arises from an catch admission to permission validation divulge, allowing domain admins to take advantage of this vulnerability to succeed in unauthorized privileges.

An attacker with domain admin catch admission to can construct malicious operations, doubtlessly compromising sources, causing recordsdata loss, and leading to denial of service.

Affected Version

CVE-2024-42222: Unauthorized Community Checklist Acquire entry to

CVE-2024-42222 is one other excessive vulnerability disguise in Apache CloudStack version 4.19.1.0. This divulge stems from a regression within the community itemizing API, allowing unauthorized catch admission to to community facts for domain admin and in sort user accounts.

This vulnerability undermines tenant isolation and might well well perchance lead to unauthorized catch admission to to community configurations and recordsdata.

Affected Version

The Apache CloudStack venture strongly recommends users upgrade to versions 4.18.2.3, 4.19.1.1, or later to mitigate these vulnerabilities.

Customers older than 4.19.1.0 might well well restful skip version 4.19.1.0 and upgrade on to 4.19.1.1. Additionally, users are told to regenerate all existing user keys to defend the protection of their environments.

The vulnerabilities had been reported by:

• CVE-2024-42062: Fabricio Duarte
• CVE-2024-42222: Christian Sinister of Netcloud AG and Midhun Jose

These excessive vulnerabilities highlight the importance of declaring up-to-date instrument and promptly addressing security complications.

The Apache CloudStack venture’s swift originate of these updates underscores the neighborhood’s commitment to security and reliability. Customers are told to upgrade on to design definite the persevered security of their CloudStack environments.