Apache CloudStack project announces the release of LTS security releases 4.19.1.0 and 4.18.2.2 that addresses CVE-2024-41107 that affects CloudStack SAML users, of severity 'important' explained below.
CVE-2024-41107: SAML Signature Exclusion
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account. In such environments, this can result in a complete compromise of the resources owned and/or accessible by a SAML enabled user-account.
Credits
The original issue was reported by Christian Gross of Netcloud AG who filed it as a bug report at https://github.com/apache/cloudstack/issues/4519.
More recently it was reported as a security issue by the following reporters from the Apple Services Engineering Security team:
- Damon Smith
- Adam Pond
- Terry Thibault
Affected versions:
- Apache CloudStack 4.5.0 through 4.18.2.1
- Apache CloudStack 4.19.0.0 through 4.19.0.2
Resolution
Affected users are recommended to disable the SAML authentication plugin by setting the "saml2.enabled" global setting to "false", or upgrade to version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.
Downloads and Documentation
The official source code for the 4.18.2.2 and 4.19.1.0 releases can be downloaded from the project downloads page:
https://cloudstack.apache.org/downloads
The 4.18.2.2 and 4.19.1.0 release notes can be found at:
- https://docs.cloudstack.apache.org/en/4.18.2.2/releasenotes/about.html
- https://docs.cloudstack.apache.org/en/4.19.1.0/releasenotes/about.html
In addition to the official source code release, individual contributors have also made release packages available on the Apache CloudStack download page, and available at: