Daniel Augusto Veronezi Salvador

**Name of the Vulnerable Software and Affected Versions** Apache CloudStack versions 4.0.0 through 4.18.2.3 Apache CloudStack versions 4.19.0.0 through 4.19.1.1 **Description** The issue arises due to missing validation checks for KVM-compatible templates or volumes in Apache CloudStack, allowing an attacker who can upload or register templates and volumes to deploy malicious instances or attach uploaded volumes to existing instances on KVM-based environments. This could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. **Recommendations** For Apache CloudStack versions 4.0.0 through 4.18.2.3, upgrade to Apache CloudStack 4.18.2.4 or later. For Apache CloudStack versions 4.19.0.0 through 4.19.1.1, upgrade to Apache CloudStack 4.19.1.2 or later. Additionally, operators can scan and check all user-uploaded or registered KVM-compatible templates and volumes to ensure they are flat files and do not use any additional or unnecessary features. This can be done by running the command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf " "; done on their secondary storage(s) and inspecting the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk.