Friday, July 19, 2024

ShapeBlue Security Advisory: Apache CloudStack CVE-2024-41107 SAML Signature Exclusion

The Apache CloudStack project has announced an advisory against CVE-2024-41107 that affects CloudStack SAML users, of severity ‘important’ explained below.

CVE-2024-41107: SAML Signature Exclusion

The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.

Credits

The original issue was reported by Christian Gross of Netcloud AG who filed it as a bug report. More recently it was reported as a security issue by the following reporters from the Apple Services Engineering Security team:

  • Damon Smith
  • Adam Pond
  • Terry Thibault

Affected Versions

  • Apache CloudStack 4.5.0 through 4.18.2.1
  • Apache CloudStack 4.19.0.0 through 4.19.0.2

Resolution

ShapeBlue, along with the Apache CloudStack community have released LTS releases 4.19.1.0 and 4.18.2.2 to address the CVE that affects CloudStack SAML users.

Affected users are recommended to disable the SAML authentication plugin by setting the “saml2.enabled” global setting to “false”, or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

Please refer to https://www.shapeblue.com/cloudstack-packages/ for usage of ShapeBlue provided 4.18-based and 4.19-based patch releases. To apply these patches, use the ShapeBlue CloudStack 4.18 or 4.19 repositories to upgrade packages on the management server hosts.

Further information

For ShapeBlue support customers, please get in touch with the support team for further information. For other CloudStack users, please use the community mailing lists.

The post ShapeBlue Security Advisory: Apache CloudStack CVE-2024-41107 SAML Signature Exclusion appeared first on ShapeBlue.



from CloudStack Consultancy & CloudStack... https://ift.tt/cWKuyDV
via IFTTT

No comments:

Post a Comment