Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAM1si4Xe91A5i2qHLBfcu-OPwDu-cN8xeG8KsmEL6MD_3xpVeQ@mail.gmail.com>
Date: Fri, 19 Jul 2024 15:38:30 +0530
From: Abhishek Kumar <shwstppr@...che.org>
To: oss-security@...ts.openwall.com
Subject: [ANNOUNCE] Apache CloudStack CVE-2024-41107: SAML Signature Exclusion

Apache CloudStack project announces the release of LTS releases 4.19.1.0
and 4.18.2.2 that addresses CVE-2024-41107 that affects CloudStack SAML
users, of severity 'important' explained below.

# CVE-2024-41107: SAML Signature Exclusion

The CloudStack SAML authentication (disabled by default) does not enforce
signature check. In CloudStack environments where SAML authentication is
enabled, an attacker that initiates CloudStack SAML single sign-on
authentication can bypass SAML authentication by submitting a spoofed SAML
response with no signature and known or guessed username and other user
details of a SAML-enabled CloudStack user-account. In such environments,
this can result in a complete compromise of the resources owned and/or
accessible by a SAML enabled user-account.

# Credits

The original issue was reported by Christian Gross of Netcloud AG who filed
it as a bug report at https://github.com/apache/cloudstack/issues/4519.

More recently it was reported as a security issue by the following
reporters from the Apple Services Engineering Security team:

- Damon Smith
- Adam Pond
- Terry Thibault

# Affected Versions

- Apache CloudStack 4.5.0 through 4.18.2.1
- Apache CloudStack 4.19.0.0 through 4.19.0.2

# Resolution

Affected users are recommended to disable the SAML authentication plugin
by setting the "saml2.enabled" global setting to "false", or upgrade to
version 4.18.2.2, 4.19.1.0 or later, which addresses this issue.

# Downloads and Documentation

The official source code for the 4.18.2.2 and 4.19.1.0 releases can be
downloaded from the project downloads page:
https://cloudstack.apache.org/downloads

The 4.18.2.2 and 4.19.1.0 release notes can be found at:
https://docs.cloudstack.apache.org/en/4.18.2.2/releasenotes/about.html
https://docs.cloudstack.apache.org/en/4.19.1.0/releasenotes/about.html

In addition to the official source code release, individual contributors
have also made release packages available on the Apache CloudStack
download page, and available at:

https://download.cloudstack.org/el/7/
https://download.cloudstack.org/el/8/
https://download.cloudstack.org/el/9/
https://download.cloudstack.org/suse/15/
https://download.cloudstack.org/ubuntu/dists/
https://www.shapeblue.com/cloudstack-packages/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.