Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM1si4Xe91A5i2qHLBfcu-OPwDu-cN8xeG8KsmEL6MD_3xpVeQ@mail.gmail.com>
Date: Fri, 19 Jul 2024 15:38:30 +0530
From: Abhishek Kumar <shwstppr@...che.org>
To: oss-security@...ts.openwall.com
Subject: [ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion

Apache CloudStack project announces the release of LTS releases 4.19.1.0
and 4.18.2.2 that addresses CVE-2024-41107 that affects CloudStack SAML
users, of severity 'important' explained below.

# CVE-2024-41107: SAML Signature Exclusion

The CloudStack SAML authentication (disabled by default) does not enforce
signature check. In CloudStack environments where SAML authentication is
enabled, an attacker that initiates CloudStack SAML single sign-on
authentication can bypass SAML authentication by submitting a spoofed SAML
response with no signature and known or guessed username and other user
details of a SAML-enabled CloudStack user-account. In such environments,
this can result in a complete compromise of the resources owned and/or
accessible by a SAML enabled user-account.

# Credits

The original issue was reported by Christian Gross of Netcloud AG who filed
it as a bug report at https://github.com/apache/cloudstack/issues/4519.

More recently it was reported as a security issue by the following
reporters from the Apple Services Engineering Security team:

- Damon Smith
- Adam Pond
- Terry Thibault

# Affected Versions

- Apache CloudStack 4.5.0 through 4.18.2.1
- Apache CloudStack 4.19.0.0 through 4.19.0.2

# Resolution

Affected users are recommended to disable the SAML authentication plugin
by setting the "saml2.enabled" global setting to "false", or upgrade to
version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

# Downloads and Documentation

The official source code for the 4.18.2.2 and 4.19.1.0 releases can be
downloaded from the project downloads page:
https://cloudstack.apache.org/downloads

The 4.18.2.2 and 4.19.1.0 release notes can be found at:
https://docs.cloudstack.apache.org/en/4.18.2.2/releasenotes/about.html
https://docs.cloudstack.apache.org/en/4.19.1.0/releasenotes/about.html

In addition to the official source code release, individual contributors
have also made release packages available on the Apache CloudStack
download page, and available at:

https://download.cloudstack.org/el/7/
https://download.cloudstack.org/el/8/
https://download.cloudstack.org/el/9/
https://download.cloudstack.org/suse/15/
https://download.cloudstack.org/ubuntu/dists/
https://www.shapeblue.com/cloudstack-packages/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.