The Apache CloudStack project has announced the release of critical security updates to address severe vulnerabilities in its KVM-based infrastructure. The latest LTS security releases, versions 4.18.2.5 and 4.19.1.3, patch a significant flaw that could potentially allow attackers to compromise KVM-based environments.
The vulnerability, identified as CVE-2024-50386, affects Apache CloudStack versions 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2. This security issue stems from missing validation checks for KVM-compatible templates during the template registration process.
Exploiting this vulnerability could enable attackers to deploy malicious instances, potentially gaining unauthorized access to host filesystems and compromising the integrity, confidentiality, and availability of KVM-based infrastructure managed by CloudStack.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Apache CloudStack Vulnerabilities
The severity of this vulnerability is rated as “Important,” with a CVSS v3.1 base score of 8.5 (High). This high score indicates the potential for significant impact on the affected systems.
To mitigate the risk, CloudStack administrators are strongly advised to upgrade to the patched versions 4.18.2.5, 4.19.1.3, or later immediately. Users running versions older than 4.19.1.0 should skip intermediate updates and directly upgrade to 4.19.1.3.
In addition to upgrading, CloudStack has provided guidance for administrators to scan and validate existing KVM-compatible templates. This process involves running specific commands on file-based primary storage to identify potentially compromised disks.
The discovery of this vulnerability is credited to Kiran Chavala ([email protected]), highlighting the importance of community involvement in identifying and addressing security issues in open-source projects.
This security update underscores the critical nature of promptly addressing vulnerabilities in cloud infrastructure software. It serves as a reminder for organizations using Apache CloudStack to maintain vigilant security practices and keep their systems up-to-date with the latest security patches.
Attend a Free Webinar on How to Maximize Cybersecurity Program ROI