18 July 2022 13:30 UTC
Versions Affected
Any version of Apache CloudStack >= 4.5 (including currently supported versions: 4.16.0, 4.16.1, 4.17)
Scope
Any Apache CloudStack (affected versions) environments that have the SAML plugin enabled.
Summary
Apache CloudStack enables authentication through SAML 2.0 by providing a SAML 2.0 Service Provider Plugin. This plugin is disabled by default and is enabled by configuring the global setting saml2.enabled to true. Having this setting set to true in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server. Tests have shown that this vulnerability can be exploited in Apache CloudStack (affected versions).
Mitigation
Operators of Apache CloudStack environments based on affected versions that do NOT use SAML 2 authentication should:
- Check the global setting saml2.enabled is set to false and restart all the CloudStack management server(s). Or,
- Install the appropriate Security Patch.
Operators of Apache CloudStack environments based on affected versions that do use SAML 2 authentication should:
- Set the global setting saml2.enabled to false and restart all the CloudStack management server(s). This will disable SAML 2 plugin and the single-sign-on authentication. Operators should use an alternative authentication mechanism until a Security Patch is available. Or,
- Install the appropriate Security Patch.
Details
The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XML external entity (XXE) injection attacks.
XXE is a type of web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access. In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.
Resolution: Security Patch
ShapeBlue, along with the Apache CloudStack community have released security patches for both 4.16 and 4.17 LTS branches that fix this issue. Further ShapeBlue has released customer security patches on the 4.15 branch.
These 4.15, 4.16, and 4.17 patches are available in ShapeBlue repositories, please refer to https://www.shapeblue.com/packages for usage. To apply these patches, use the ShapeBlue CloudStack repositories to upgrade packages on the management server.
Further information
For ShapeBlue support customers, please contact the support team for further information. For other CloudStack users, please use the community mailing lists.
Rohit Yadav oversees the Software Engineering function at ShapeBlue, providing leadership and mentorship to our ever-growing Engineering Team. He has been a PMC member of the project since 2015. Rohit is the author & maintainer of the CloudStack CloudMonkey project and has been instrumental in the development of many of CloudStack’s flagship features. Rohit regularly speaks at events, focussing on developer access to the project, and has also mentored Google Summer of Code students.
