Apache CloudStack version 4.5.0 and later has a SAML 2.0 authentication Service Provider plugin which is found to be vulnerable to XML external entity (XXE) injection. This plugin is not enabled by default and the attacker would require that this plugin be enabled to exploit the vulnerability. When the SAML 2.0 plugin is enabled in affected versions of Apache CloudStack could potentially allow the exploitation of XXE vulnerabilities. The SAML 2.0 messages constructed during the authentication flow in Apache CloudStack are XML-based and the XML data is parsed by various standard libraries that are now understood to be vulnerable to XXE injection attacks such as arbitrary file reading, possible denial of service, server-side request forgery (SSRF) on the CloudStack management server.

Introduce yourself with a few words

I am K B Shiv Kumar and am the Co-Founder and CTO at IndiQus. I am based out of Delhi, India and am passionate about travelling and dig going on driving holidays with my friends and family. I love listening to music and ABBA has been my all-time favourite band since childhood.

On 14th June 2022, a new issue affecting only KVM users using Shared Mount Point storage was reported [1]. This issue affects the creation and the usage of existing Shared Mount Point storage pools on Apache CloudStack 4.17.0.0.

Apache CloudStack 4.17.0.0 added support for the StorPool storage based on Shared Mount Point. However, the current version of CloudStack doesn't allow multiple implementations of Shared Mount Point storage pool providers, causing the StorPool provider to override the default implementation. This affected the other storage pool providers for Shared Mount Point since CloudStack tries to add them as a StorPool storage pool.

To mitigate the issue, a CloudStack administrator needs to do the following on version 4.17.0.0:

• On each management server: stop the CloudStack management service, remove the Storpool plugin jar on /usr/share/cloudstack-management/lib/cloud-plugin-storage-volume-storpool-4.17.0.0.jar and restart the CloudStack management service
  
• On each KVM host: stop the CloudStack agent service, remove the StorPool plugin jar on /usr/share/cloudstack-agent/lib/cloud-plugin-storage-volume-storpool-4.17.0.0.jar and restart the CloudStack agent service
  

Note: This workaround removes the StorPool plugin support. StorPool users should not apply the workaround to continue using their Storpool storage.

This issue will be fixed in the upcoming CloudStack version 4.17.1.0.

[1] https://github.com/apache/cloudstack/issues/6455

The Apache Software Foundation Announces Apache® CloudStack® v4.17

Apache CloudStack 4.17.0.0 is a 4.17 LTS release with 383 new features, improvements and bug fixes since 4.16, including 16 major new features. Some of the highlights include:

Apache CloudStack 4.17 is the latest release of the cloud management platform from the Apache Software Foundation and is a result of months of work from the development community. Apache CloudStack 4.17 is an LTS (Long Term Support) release so will be maintained for a period of 18 months after release.

For the 10^th consecutive year, the Apache CloudStack community is organising its major event - CloudStack Collaboration Conference, running from 14^th to 16^th November 2022. The event will be a hybrid event, giving attendees and speakers the option to join in Sofia, Bulgaria (Exact location TBD) or remotely from their computers. By doing so, the conference will allow more people from the Apache CloudStack community and people interested in the technology, to learn more about it and its latest capabilities and integrations.

Simon Weller is the new VP of Apache CloudStack announced in late March 2022. Simon has been an Apache CloudStack PMC member for the last few years. He has a strong technology background in multiple competencies, including networking and systems. In addition to it, he has a significant business development background with both start-ups and established organizations and is a highly experienced strategic thinker and relationship builder.

At the beginning of April 2022, vulnerabilities in the Spring Framework for Java were publicly revealed. Many companies noticed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965. This vulnerability allows hackers to execute the Mirai botnet malware. The exploit allows threat actors to download the Mirai sample to the /tmp folder and execute them after changing its execute permission using chmod.

Apache CloudStack is thrilled to share the word of the upcoming CloudStack European User Group Virtual Conference - the virtual get together for the European CloudStack Community. The event is taking place on 7th April 2022, where you will be able to meet the leading CloudStack experts, users and skilful engineers from the open-source world. 

CloudStack is a multi-hypervisor, multi-tenant, high-availability cloud management platform that delivers the flexibility and freedom of open-source technology and the power of an enterprise-grade virtualization management platform.
In the new blog series named CloudStack Integrations, we will present a range of technologies with which CloudStack is integrated and can become part of your technology stack. You will be able to learn more about different software solutions, which can be combined with CloudStack and dive deep into specialized Technical Solution Briefs presenting the integrations.
Today we will meet you with LINBIT.