Category: Advisories

ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.5 and 4.19.1.3

The Apache CloudStack project has announced an advisory against  CVE-2024-50386 (severity ‘Important’). CVE-2024-50386: Directly downloaded templates can be used to abuse KVM-based infrastructure Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in […]

ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.4 and 4.19.1.2

The Apache CloudStack project has announced an advisory against CVE-2024-45219 (severity ‘Important’), CVE-2024-45461 (severity ‘Moderate’), CVE-2024-45462 (severity ‘Moderate’) and CVE-2024-45693 (severity ‘Important’), explained below. CVE-2024-45219: Uploaded and registered templates and volumes can abuse KVM-based infrastructure Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for […]

ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.3 and 4.19.1.1

The Apache CloudStack project has announced an advisory against CVE-2024-42062 and CVE-2024-42222, both of severity rating ‘critical’, explained below. CVE-2024-42062: User Key Exposure to Domain Admins CloudStack account-users by default use username and password based authentication for API and UI access. Account-users can generate and register randomised API and secret keys and use them for the […]

ShapeBlue Security Advisory: Apache CloudStack CVE-2024-41107 SAML Signature Exclusion

The Apache CloudStack project has announced an advisory against CVE-2024-41107 that affects CloudStack SAML users, of severity ‘important’ explained below. CVE-2024-41107: SAML Signature Exclusion The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass […]

ShapeBlue Security Advisory: Apache CloudStack Security Releases 4.18.2.1 and 4.19.0.2

The Apache CloudStack project has announced an advisory against CVE-2024-38346 and CVE-2024-39864, both of severity rating ‘important’, explained below. CVE-2024-38346: Unauthenticated cluster service port leads to remote execution The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of […]

ShapeBlue Security Advisory : Apache CloudStack Security Releases 4.18.1.1 and 4.19.0.1

Apache CloudStack Security Releases 4.18.1.1 and 4.19.0.1

Overview Apache CloudStack project has issued an advisory against the following CVEs: CVE-2024-29006: x-forwarded-for HTTP header parsed by default Severity: moderate Description: By default the CloudStack management server honours the x-forwarded-for HTTP header and logs it as the source IP of an API request. This could lead to authentication bypass and other operational problems should […]

ShapeBlue Security Advisory for CVE-2022-35741: XXE vulnerability in SAML 2.0 Service Provider Plugin for CloudStack

18 July 2022 13:30 UTC Versions Affected Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17) Scope Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled. Summary Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by […]

ShapeBlue Advisory on Libvirt 8+ Compatibility Issues with CloudStack

Overview As of the 4.15 release, CloudStack has supported various EL8 operating systems / hypervisors, namely RHEL 8, CentOS 8, Rocky Linux 8 (and in theory – as of CloudStack 4.16 – all other EL8 variants including e.g. Alma Linux 8) – for both management servers and hypervisors. Similarly, support for Ubuntu 20.04 was added […]

Machine Learning and Apache CloudStack | Case Studies

Introduction In this blog we discuss applications of machine learning (ML) in datacenters and how that might integrate with Apache CloudStack (ACS). We also try to identify various places in the lifecycle of datacentres where such tools can be helpful. With any datacentre deployment, the primary goal is to achieve efficient resource provisioning whilst also […]

ShapeBlue Security Advisory – Spectre and Meltdown patches in CloudStack 4.9 and 4.11

Overview At the beginning of 2018 a number of vulnerabilities were discovered which allow malicious user space processes to read kernel memory and malicious code in VM guests to read hypervisor memory. These vulnerabilities affect most CPU manufacturers – Intel, AMD, ARM, MIPS, etc. The vulnerabilities were nicknamed “Spectre” and “Meltdown” and are outlined in […]

Our Services

Apache CloudStack

Good Business Charter White Logo
ShapeBlue - member of the Employee Ownership Association

Resources

Contact

About

CloudStack Packages

Twitter Facebook Linkedin-in
Good Business Charter White Logo
ShapeBlue - member of the Employee Ownership Association

London

MOUNTAINVIEW, CA

SÃO PAULO

Cape town

bangalore
Twitter Facebook Linkedin-in Github

© Copyright – ShapeBlue Ltd 2013-2024. All rights reserved.

ShapeBlue Ltd is a company incorporated in England & Wales. ShapeBlue is a registered trademark.

CloudStack and the CloudStack logo are trademarks of the Apache Software Foundation.

Migration Guide: VMware to Apache CloudStack

Download a step-by-step guide to migrate your existing vSphere environment to a robust IaaS cloud environment based on Apache CloudStack and the KVM Hypervisor, ensuring a smooth, low-friction migration journey.

Learn more