cvelistv5 - cve-2024-50386

cve-2024-50386

Vulnerability from cvelistv5

Published

2024-11-12 14:34

Modified

2024-11-12 20:06

Severity ?

8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done

References

URL	Tags
security@apache.org	https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3	Vendor Advisory
security@apache.org	https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y	Mailing List, Vendor Advisory
security@apache.org	https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/11/12/3	Mailing List

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache CloudStack	Version: 4.0.0 ≤ 4.18.2.4 Version: 4.19.0.0 ≤ 4.19.1.2

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "cloudstack",
                  vendor: "apache",
                  versions: [
                     {
                        lessThanOrEqual: "4.18.2.4",
                        status: "affected",
                        version: "4.0.0",
                        versionType: "semver",
                     },
                     {
                        lessThanOrEqual: "4.19.1.2",
                        status: "affected",
                        version: "4.19.0.0",
                        versionType: "semver",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-50386",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-11-12T16:07:06.274965Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-11-12T16:10:15.904Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-11-12T17:02:47.046Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  url: "http://www.openwall.com/lists/oss-security/2024/11/12/3",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Apache CloudStack",
               vendor: "Apache Software Foundation",
               versions: [
                  {
                     lessThanOrEqual: "4.18.2.4",
                     status: "affected",
                     version: "4.0.0",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "4.19.1.2",
                     status: "affected",
                     version: "4.19.0.0",
                     versionType: "semver",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               type: "reporter",
               value: "Kiran Chavala <kiranchavala@apache.org>",
            },
         ],
         descriptions: [
            {
               lang: "en",
               supportingMedia: [
                  {
                     base64: false,
                     type: "text/html",
                     value: "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.<div><br></div><div><span style=\"background-color: rgb(252, 252, 252);\">Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. <br><br></span>Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. H<span style=\"background-color: rgb(255, 255, 255);\">owever, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.</span><br></div><blockquote>for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done</blockquote><div><br>For checking the whole template/volume features of each disk, operators can run the following command:<br></div><blockquote>for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done</blockquote><div><span style=\"background-color: rgb(252, 252, 252);\"><br></span></div><br>",
                  },
               ],
               value: "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \n\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     text: "important",
                  },
                  type: "Textual description of severity",
               },
            },
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
                  version: "3.1",
               },
               format: "CVSS",
               scenarios: [
                  {
                     lang: "en",
                     value: "GENERAL",
                  },
               ],
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-20",
                     description: "CWE-20 Improper Input Validation",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-11-12T20:06:52.571Z",
            orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            shortName: "apache",
         },
         references: [
            {
               tags: [
                  "vendor-advisory",
                  "patch",
               ],
               url: "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3",
            },
            {
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y",
            },
            {
               tags: [
                  "third-party-advisory",
               ],
               url: "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/",
            },
         ],
         source: {
            discovery: "UNKNOWN",
         },
         title: "Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure",
         x_generator: {
            engine: "Vulnogram 0.2.0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09",
      assignerShortName: "apache",
      cveId: "CVE-2024-50386",
      datePublished: "2024-11-12T14:34:08.537Z",
      dateReserved: "2024-10-23T21:07:56.466Z",
      dateUpdated: "2024-11-12T20:06:52.571Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-50386\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-11-12T15:15:10.397\",\"lastModified\":\"2025-02-04T18:23:49.057\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\\n\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \\n\\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\\n\\n\\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\\\"; qemu-img info -U $file | grep file: ; printf \\\"\\\\n\\\\n\\\"; done\\nFor checking the whole template/volume features of each disk, operators can run the following command:\\n\\n\\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info.\\\"; qemu-img info -U $file; printf \\\"\\\\n\\\\n\\\"; done\"},{\"lang\":\"es\",\"value\":\"De manera predeterminada, los usuarios de cuentas en Apache CloudStack pueden registrar plantillas para que se descarguen directamente al almacenamiento principal para implementar instancias. Debido a que faltan comprobaciones de validación para las plantillas compatibles con KVM en CloudStack 4.0.0 a 4.18.2.4 y 4.19.0.0 a 4.19.1.2, un atacante que pueda registrar plantillas puede usarlas para implementar instancias maliciosas en entornos basados en KVM y aprovechar esto para obtener acceso a los sistemas de archivos del host, lo que podría provocar la vulneración de la integridad y la confidencialidad de los recursos, la pérdida de datos, la denegación de servicio y la disponibilidad de la infraestructura basada en KVM administrada por CloudStack. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.5 o 4.19.1.3, o una versión posterior, que soluciona este problema. Además, se pueden escanear todas las plantillas compatibles con KVM registradas por el usuario y verificar que sean archivos planos que no deberían utilizar funciones adicionales o innecesarias. Por ejemplo, los operadores pueden ejecutar el siguiente comando en sus almacenamientos primarios basados en archivos e inspeccionar la salida. Una salida vacía para el disco que se está validando significa que no tiene referencias a los sistemas de archivos del host; por otro lado, si la salida para el disco que se está validando no está vacía, podría indicar un disco comprometido. Sin embargo, tenga en cuenta que (i) los volúmenes creados a partir de plantillas tendrán referencias para las plantillas al principio y (ii) los volúmenes se pueden consolidar durante la migración, perdiendo sus referencias a las plantillas. Por lo tanto, la ejecución del comando para los almacenamientos primarios puede mostrar falsos positivos y falsos negativos. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Recuperando información del archivo [$file]. Si la salida no está vacía, eso podría indicar un disco comprometido; verifíquelo cuidadosamente.\\\"; qemu-img info -U $file | grep file: ; printf \\\"\\\\n\\\\n\\\"; hecho Para verificar todas las características de la plantilla/volumen de cada disco, los operadores pueden ejecutar el siguiente comando: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Recuperando información del archivo [$file].\\\"; qemu-img info -U $file; printf \\\"\\\\n\\\\n\\\"; hecho\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.18.2.5\",\"matchCriteriaId\":\"2845E705-B2F7-4443-AF76-9CE837B1A11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.0.0\",\"versionEndExcluding\":\"4.19.1.3\",\"matchCriteriaId\":\"DC061C58-2D0A-4B42-8EB9-1B156D8B31E6\"}]}]}],\"references\":[{\"url\":\"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/11/12/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/11/12/3\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-11-12T17:02:47.046Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-50386\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T16:07:06.274965Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"cloudstack\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.18.2.4\"}, {\"status\": \"affected\", \"version\": \"4.19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.1.2\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T16:10:08.443Z\"}}], \"cna\": {\"title\": \"Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Kiran Chavala <kiranchavala@apache.org>\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"important\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache CloudStack\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.18.2.4\"}, {\"status\": \"affected\", \"version\": \"4.19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.1.2\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3\", \"tags\": [\"vendor-advisory\", \"patch\"]}, {\"url\": \"https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\\n\\n\\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \\n\\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\\n\\n\\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\\\"; qemu-img info -U $file | grep file: ; printf \\\"\\\\n\\\\n\\\"; done\\nFor checking the whole template/volume features of each disk, operators can run the following command:\\n\\n\\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info.\\\"; qemu-img info -U $file; printf \\\"\\\\n\\\\n\\\"; done\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.<div><br></div><div><span style=\\\"background-color: rgb(252, 252, 252);\\\">Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. <br><br></span>Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. H<span style=\\\"background-color: rgb(255, 255, 255);\\\">owever, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.</span><br></div><blockquote>for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\\\"; qemu-img info -U $file | grep file: ; printf \\\"\\\\n\\\\n\\\"; done</blockquote><div><br>For checking the whole template/volume features of each disk, operators can run the following command:<br></div><blockquote>for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\\\-]*.*); do echo \\\"Retrieving file [$file] info.\\\"; qemu-img info -U $file; printf \\\"\\\\n\\\\n\\\"; done</blockquote><div><span style=\\\"background-color: rgb(252, 252, 252);\\\"><br></span></div><br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-11-12T20:06:52.571Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-50386\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-12T20:06:52.571Z\", \"dateReserved\": \"2024-10-23T21:07:56.466Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-11-12T14:34:08.537Z\", \"assignerShortName\": \"apache\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

WID-SEC-W-2024-3415

Vulnerability from csaf_certbund

Published

2024-11-12 23:00

Modified

2024-11-12 23:00

Summary

Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um Zugriffskontrollen zu umgehen und somit erhöhte Rechte zu erlangen, einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um Zugriffskontrollen zu umgehen und somit erhöhte Rechte zu erlangen, einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen offenzulegen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Sonstiges",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2024-3415 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3415.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2024-3415 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3415",
         },
         {
            category: "external",
            summary: "Apache CloudStack LTS Security Releases 4.18.2.5 and 4.19.1.3 vom 2024-11-12",
            url: "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3",
         },
      ],
      source_lang: "en-US",
      title: "Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen",
      tracking: {
         current_release_date: "2024-11-12T23:00:00.000+00:00",
         generator: {
            date: "2024-11-13T10:46:10.395+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.8",
            },
         },
         id: "WID-SEC-W-2024-3415",
         initial_release_date: "2024-11-12T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2024-11-12T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<4.18.2.5",
                        product: {
                           name: "Apache CloudStack <4.18.2.5",
                           product_id: "T038937",
                        },
                     },
                     {
                        category: "product_version",
                        name: "4.18.2.5",
                        product: {
                           name: "Apache CloudStack 4.18.2.5",
                           product_id: "T038937-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:cloudstack:4.18.2.5",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<4.19.1.3",
                        product: {
                           name: "Apache CloudStack <4.19.1.3",
                           product_id: "T038938",
                        },
                     },
                     {
                        category: "product_version",
                        name: "4.19.1.3",
                        product: {
                           name: "Apache CloudStack 4.19.1.3",
                           product_id: "T038938-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:cloudstack:4.19.1.3",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CloudStack",
               },
            ],
            category: "vendor",
            name: "Apache",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2024-50386",
         notes: [
            {
               category: "description",
               text: "Es besteht eine Schwachstelle in Apache CloudStack. Dieser Fehler entsteht durch fehlende Validierungsprüfungen in der KVM-kompatiblen Vorlagenverarbeitung von Apache CloudStack, wodurch Benutzer Vorlagen registrieren können, ohne deren Integrität zu überprüfen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um die Zugriffskontrollen zu umgehen und somit erhöhte Rechte zu erlangen, einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T038938",
               "T038937",
            ],
         },
         release_date: "2024-11-12T23:00:00.000+00:00",
         title: "CVE-2024-50386",
      },
   ],
}

wid-sec-w-2024-3415

Vulnerability from csaf_certbund

Published

2024-11-12 23:00

Modified

2024-11-12 23:00

Summary

Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Produktbeschreibung

Angriff

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "hoch",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Apache CloudStack ist eine Sofwareplattform zum Verwalten großer Netzwerke von virtuellen Maschienen als eine hoch verfügbare, hoch skalierbare Infrastructure as a Service (IaaS) Cloud Computing Plattform. CloudStack wurde von Citrix entwicklet und anschließend über Apache als Open Source Software zur Verfügung gestellt.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um Zugriffskontrollen zu umgehen und somit erhöhte Rechte zu erlangen, einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen offenzulegen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Sonstiges",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2024-3415 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3415.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2024-3415 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3415",
         },
         {
            category: "external",
            summary: "Apache CloudStack LTS Security Releases 4.18.2.5 and 4.19.1.3 vom 2024-11-12",
            url: "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3",
         },
      ],
      source_lang: "en-US",
      title: "Apache CloudStack: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen",
      tracking: {
         current_release_date: "2024-11-12T23:00:00.000+00:00",
         generator: {
            date: "2024-11-13T10:46:10.395+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.8",
            },
         },
         id: "WID-SEC-W-2024-3415",
         initial_release_date: "2024-11-12T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2024-11-12T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<4.18.2.5",
                        product: {
                           name: "Apache CloudStack <4.18.2.5",
                           product_id: "T038937",
                        },
                     },
                     {
                        category: "product_version",
                        name: "4.18.2.5",
                        product: {
                           name: "Apache CloudStack 4.18.2.5",
                           product_id: "T038937-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:cloudstack:4.18.2.5",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<4.19.1.3",
                        product: {
                           name: "Apache CloudStack <4.19.1.3",
                           product_id: "T038938",
                        },
                     },
                     {
                        category: "product_version",
                        name: "4.19.1.3",
                        product: {
                           name: "Apache CloudStack 4.19.1.3",
                           product_id: "T038938-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:apache:cloudstack:4.19.1.3",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "CloudStack",
               },
            ],
            category: "vendor",
            name: "Apache",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2024-50386",
         notes: [
            {
               category: "description",
               text: "Es besteht eine Schwachstelle in Apache CloudStack. Dieser Fehler entsteht durch fehlende Validierungsprüfungen in der KVM-kompatiblen Vorlagenverarbeitung von Apache CloudStack, wodurch Benutzer Vorlagen registrieren können, ohne deren Integrität zu überprüfen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um die Zugriffskontrollen zu umgehen und somit erhöhte Rechte zu erlangen, einen Denial-of-Service-Zustand zu erzeugen und vertrauliche Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T038938",
               "T038937",
            ],
         },
         release_date: "2024-11-12T23:00:00.000+00:00",
         title: "CVE-2024-50386",
      },
   ],
}

fkie_cve-2024-50386

Vulnerability from fkie_nvd

Published

2024-11-12 15:15

Modified

2025-02-04 18:23

Severity ?

8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3	Vendor Advisory
security@apache.org	https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y	Mailing List, Vendor Advisory
security@apache.org	https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/11/12/3	Mailing List

Impacted products

	Vendor	Product	Version
	apache	cloudstack	*
	apache	cloudstack	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "2845E705-B2F7-4443-AF76-9CE837B1A11D",
                     versionEndExcluding: "4.18.2.5",
                     versionStartIncluding: "4.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:apache:cloudstack:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "DC061C58-2D0A-4B42-8EB9-1B156D8B31E6",
                     versionEndExcluding: "4.19.1.3",
                     versionStartIncluding: "4.19.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \n\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done",
      },
      {
         lang: "es",
         value: "De manera predeterminada, los usuarios de cuentas en Apache CloudStack pueden registrar plantillas para que se descarguen directamente al almacenamiento principal para implementar instancias. Debido a que faltan comprobaciones de validación para las plantillas compatibles con KVM en CloudStack 4.0.0 a 4.18.2.4 y 4.19.0.0 a 4.19.1.2, un atacante que pueda registrar plantillas puede usarlas para implementar instancias maliciosas en entornos basados en KVM y aprovechar esto para obtener acceso a los sistemas de archivos del host, lo que podría provocar la vulneración de la integridad y la confidencialidad de los recursos, la pérdida de datos, la denegación de servicio y la disponibilidad de la infraestructura basada en KVM administrada por CloudStack. Se recomienda a los usuarios que actualicen a Apache CloudStack 4.18.2.5 o 4.19.1.3, o una versión posterior, que soluciona este problema. Además, se pueden escanear todas las plantillas compatibles con KVM registradas por el usuario y verificar que sean archivos planos que no deberían utilizar funciones adicionales o innecesarias. Por ejemplo, los operadores pueden ejecutar el siguiente comando en sus almacenamientos primarios basados en archivos e inspeccionar la salida. Una salida vacía para el disco que se está validando significa que no tiene referencias a los sistemas de archivos del host; por otro lado, si la salida para el disco que se está validando no está vacía, podría indicar un disco comprometido. Sin embargo, tenga en cuenta que (i) los volúmenes creados a partir de plantillas tendrán referencias para las plantillas al principio y (ii) los volúmenes se pueden consolidar durante la migración, perdiendo sus referencias a las plantillas. Por lo tanto, la ejecución del comando para los almacenamientos primarios puede mostrar falsos positivos y falsos negativos. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Recuperando información del archivo [$file]. Si la salida no está vacía, eso podría indicar un disco comprometido; verifíquelo cuidadosamente.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; hecho Para verificar todas las características de la plantilla/volumen de cada disco, los operadores pueden ejecutar el siguiente comando: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Recuperando información del archivo [$file].\"; qemu-img info -U $file; printf \"\\n\\n\"; hecho",
      },
   ],
   id: "CVE-2024-50386",
   lastModified: "2025-02-04T18:23:49.057",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "HIGH",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 6,
            source: "security@apache.org",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 9.9,
               baseSeverity: "CRITICAL",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "CHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.1,
            impactScore: 6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2024-11-12T15:15:10.397",
   references: [
      {
         source: "security@apache.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3",
      },
      {
         source: "security@apache.org",
         tags: [
            "Mailing List",
            "Vendor Advisory",
         ],
         url: "https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y",
      },
      {
         source: "security@apache.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mailing List",
         ],
         url: "http://www.openwall.com/lists/oss-security/2024/11/12/3",
      },
   ],
   sourceIdentifier: "security@apache.org",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-20",
            },
         ],
         source: "security@apache.org",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "NVD-CWE-noinfo",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

ghsa-5pg9-rxpc-jxgf

Vulnerability from github

Published

2024-11-12 15:30

Modified

2025-02-04 18:30

Severity ?

8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue.

Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.

for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done For checking the whole template/volume features of each disk, operators can run the following command:

for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2024-50386",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-20",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-11-12T15:15:10Z",
      severity: "HIGH",
   },
   details: "Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.\n\n\nUsers are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. \n\nAdditionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives.\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.\"; qemu-img info -U $file | grep file: ; printf \"\\n\\n\"; done\nFor checking the whole template/volume features of each disk, operators can run the following command:\n\n\nfor file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo \"Retrieving file [$file] info.\"; qemu-img info -U $file; printf \"\\n\\n\"; done",
   id: "GHSA-5pg9-rxpc-jxgf",
   modified: "2025-02-04T18:30:46Z",
   published: "2024-11-12T15:30:43Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-50386",
      },
      {
         type: "WEB",
         url: "https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.5-4.19.1.3",
      },
      {
         type: "WEB",
         url: "https://lists.apache.org/thread/d0x83c2cyglzzdw8csbop7mj7h83z95y",
      },
      {
         type: "WEB",
         url: "https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-5-and-4-19-1-3",
      },
      {
         type: "WEB",
         url: "http://www.openwall.com/lists/oss-security/2024/11/12/3",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
         type: "CVSS_V3",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-50386

Vulnerability from cvelistv5

WID-SEC-W-2024-3415

Vulnerability from csaf_certbund

wid-sec-w-2024-3415

Vulnerability from csaf_certbund

fkie_cve-2024-50386

Vulnerability from fkie_nvd

ghsa-5pg9-rxpc-jxgf

Vulnerability from github

Tags

Sightings

Nomenclature