Apache Cloudstack Vulnerability Exposes API & Secret Keys to Admin Accounts
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Apache CloudStack project has announced the release of long-term support (LTS) security updates, versions 4.18.2.3 and 4.19.1.1, which address two critical vulnerabilities, CVE-2024-42062 and CVE-2024-42222.
These vulnerabilities pose significant risks to the integrity, confidentiality, and availability of CloudStack-managed infrastructure.
CVE-2024-42062: User Key Exposure to Domain Admins
CVE-2024-42062 is a critical vulnerability that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0. In these versions, domain admin accounts can query all registered account users’ API and secret keys, including those of root admins.
This flaw arises from an access permission validation issue, allowing domain admins to exploit this vulnerability to gain unauthorized privileges.
An attacker with domain admin access can perform malicious operations, potentially compromising resources, causing data loss, and leading to denial of service.
Affected Version
Version Range Status 4.10.0 – 4.18.2.2Affected4.19.0.0 – 4.19.1.0Affected
CVE-2024-42222: Unauthorized Network List Access
CVE-2024-42222 is another critical vulnerability found in Apache CloudStack version 4.19.1.0. This issue stems from a regression in the network listing API, allowing unauthorized access to network details for domain admin and normal user accounts.
This vulnerability undermines tenant isolation and can lead to unauthorized access to network configurations and data.
Affected Version
Version Range Status 4.19.1.0Affected
The Apache CloudStack project strongly recommends users upgrade to versions 4.18.2.3, 4.19.1.1, or later to mitigate these vulnerabilities.
Users older than 4.19.1.0 should skip version 4.19.1.0 and upgrade directly to 4.19.1.1. Additionally, users are advised to regenerate all existing user keys to maintain the security of their environments.
The vulnerabilities were reported by:
These critical vulnerabilities highlight the importance of maintaining up-to-date software and promptly addressing security issues.
The Apache CloudStack project’s swift release of these updates underscores the community’s commitment to security and reliability. Users are urged to upgrade immediately to ensure the continued protection of their CloudStack environments.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Apache Cloudstack Vulnerability Exposes API & Secret Keys to Admin Accounts
Author: DhivyaThe Apache CloudStack project has announced the release of long-term support (LTS) security updates, versions 4.18.2.3 and 4.19.1.1, which address two critical vulnerabilities, CVE-2024-42062 and CVE-2024-42222.
These vulnerabilities pose significant risks to the integrity, confidentiality, and availability of CloudStack-managed infrastructure.
CVE-2024-42062: User Key Exposure to Domain Admins
CVE-2024-42062 is a critical vulnerability that affects Apache CloudStack versions 4.10.0 up to 4.19.1.0. In these versions, domain admin accounts can query all registered account users’ API and secret keys, including those of root admins.
This flaw arises from an access permission validation issue, allowing domain admins to exploit this vulnerability to gain unauthorized privileges.
An attacker with domain admin access can perform malicious operations, potentially compromising resources, causing data loss, and leading to denial of service.
Affected Version
Version Range Status 4.10.0 – 4.18.2.2Affected4.19.0.0 – 4.19.1.0Affected
CVE-2024-42222: Unauthorized Network List Access
CVE-2024-42222 is another critical vulnerability found in Apache CloudStack version 4.19.1.0. This issue stems from a regression in the network listing API, allowing unauthorized access to network details for domain admin and normal user accounts.
This vulnerability undermines tenant isolation and can lead to unauthorized access to network configurations and data.
Affected Version
Version Range Status 4.19.1.0Affected
The Apache CloudStack project strongly recommends users upgrade to versions 4.18.2.3, 4.19.1.1, or later to mitigate these vulnerabilities.
Users older than 4.19.1.0 should skip version 4.19.1.0 and upgrade directly to 4.19.1.1. Additionally, users are advised to regenerate all existing user keys to maintain the security of their environments.
The vulnerabilities were reported by:
- CVE-2024-42062 : Fabricio Duarte
- CVE-2024-42222 : Christian Gross of Netcloud AG and Midhun Jose
These critical vulnerabilities highlight the importance of maintaining up-to-date software and promptly addressing security issues.
The Apache CloudStack project’s swift release of these updates underscores the community’s commitment to security and reliability. Users are urged to upgrade immediately to ensure the continued protection of their CloudStack environments.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
