CVE-2024-50386

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions 4.0.0 through 4.18.2.4 Apache CloudStack versions 4.19.0.0 through 4.19.1.2

Description: The issue arises due to missing validation checks for KVM-compatible templates in Apache CloudStack, allowing an attacker who can register templates to deploy malicious instances on KVM-based environments. This could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack.

Recommendations: Upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, to address this issue. As a temporary workaround, scan and check all user-registered KVM-compatible templates to ensure they are flat files and do not use any additional or unnecessary features. To check for compromised disks, operators can run the command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "

"; done To check the whole template/volume features of each disk, operators can run the command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9-].); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "

"; done