The Apache CloudStack project has announced an advisory against CVE-2024-41107 that affects CloudStack SAML users, of severity ‘important’ explained below.
CVE-2024-41107: SAML Signature Exclusion
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.
Credits
The original issue was reported by Christian Gross of Netcloud AG who filed it as a bug report. More recently it was reported as a security issue by the following reporters from the Apple Services Engineering Security team:
- Damon Smith
- Adam Pond
- Terry Thibault
Affected Versions
- Apache CloudStack 4.5.0 through 4.18.2.1
- Apache CloudStack 4.19.0.0 through 4.19.0.2
Resolution
ShapeBlue, along with the Apache CloudStack community have released LTS releases 4.19.1.0 and 4.18.2.2 to address the CVE that affects CloudStack SAML users.
Affected users are recommended to disable the SAML authentication plugin by setting the “saml2.enabled” global setting to “false”, or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
Please refer to https://www.shapeblue.com/cloudstack-packages/ for usage of ShapeBlue provided 4.18-based and 4.19-based patch releases. To apply these patches, use the ShapeBlue CloudStack 4.18 or 4.19 repositories to upgrade packages on the management server hosts.
Further information
For ShapeBlue support customers, please get in touch with the support team for further information. For other CloudStack users, please use the community mailing lists.
Rohit Yadav oversees the Software Engineering function at ShapeBlue, providing leadership and mentorship to our ever-growing Engineering Team. He has been a PMC member of the project since 2015. Rohit is the author & maintainer of the CloudStack CloudMonkey project and has been instrumental in the development of many of CloudStack’s flagship features. Rohit regularly speaks at events, focussing on developer access to the project, and has also mentored Google Summer of Code students.
