|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.20.3.0 and 4.22.0.1" |
| 4 | +tags: [announcement] |
| 5 | +authors: [daan] |
| 6 | +slug: security-release-advisory-4.20.3.0-4.22.0.1 |
| 7 | +--- |
| 8 | + |
| 9 | +[](/blog/security-release-advisory-4.20.3.0-4.22.0.1) |
| 10 | + |
| 11 | +The Apache CloudStack project announces the release of LTS releases [4.20.3.0](https://github.com/apache/cloudstack/releases/tag/4.20.3.0) and [4.22.0.1](https://github.com/apache/cloudstack/releases/tag/4.22.0.1) that address the following security issues: |
| 12 | + |
| 13 | +- CVE-2025-66170 (severity 'Low') |
| 14 | +- CVE-2025-66171 (severity 'Important') |
| 15 | +- CVE-2025-66172 (severity 'Important') |
| 16 | +- CVE-2025-66467 (severity 'Important') |
| 17 | +- CVE-2025-69233 (severity 'Moderate') |
| 18 | +- CVE-2026-25077 (severity 'Important') |
| 19 | +- CVE-2026-25199 (severity 'Moderate') |
| 20 | + |
| 21 | + |
| 22 | +<!-- truncate --> |
| 23 | + |
| 24 | +## [CVE-2025-66170](https://www.cve.org/CVERecord?id=CVE-2025-66170): Any user can list backups that they should not have access to. |
| 25 | + |
| 26 | +The CloudStack Backup plugin has an improper authorization logic in |
| 27 | +versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account |
| 28 | +access in CloudStack 4.21.0.0+ environments, where this plugin is |
| 29 | +enabled and have access to specific APIs can list backups from any |
| 30 | +account in the environment. This vulnerability does not allow them to |
| 31 | +see the contents of the backup. |
| 32 | + |
| 33 | +### Credits |
| 34 | + |
| 35 | +The CVEs are credited to the following reporters: |
| 36 | + |
| 37 | + - Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter) |
| 38 | + - Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter) |
| 39 | + - Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter) |
| 40 | + |
| 41 | +### Affected versions: |
| 42 | + |
| 43 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 44 | + |
| 45 | +### Resolution |
| 46 | + |
| 47 | +Users are recommended to upgrade to version 4.22.0.1 or later, which |
| 48 | +addresses these issues. |
| 49 | + |
| 50 | +## [CVE-2025-66171](https://www.cve.org/CVERecord?id=CVE-2025-66171): Any user can create a new VM from backups they should not have access to |
| 51 | + |
| 52 | +The CloudStack Backup plugin has an improper access logic in versions |
| 53 | +4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access |
| 54 | +in CloudStack 4.21.0.0+ environments, where this plugin is enabled and |
| 55 | +have access to specific APIs can create new VMs using backups of any |
| 56 | +other user of the environment. |
| 57 | + |
| 58 | +### Credits |
| 59 | + |
| 60 | +The CVEs are credited to the following reporters: |
| 61 | + |
| 62 | + - Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter) |
| 63 | + - Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter) |
| 64 | + - Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter) |
| 65 | + |
| 66 | +### Affected versions: |
| 67 | + |
| 68 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 69 | + |
| 70 | +### Resolution |
| 71 | + |
| 72 | +Users are recommended to upgrade to version 4.22.0.1 or later, which |
| 73 | +addresses these issues. |
| 74 | + |
| 75 | +## [CVE-2025-66172](https://www.cve.org/CVERecord?id=CVE-2025-66172): Any user can attach a volume in their VMs from backups they should not have access to |
| 76 | + |
| 77 | +The CloudStack Backup plugin has an improper access logic in versions |
| 78 | +4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access |
| 79 | +in CloudStack 4.21.0.0+ environments, where this plugin is enabled and |
| 80 | +have access to specific APIs can restore a volume from any other |
| 81 | +user's backups and attach the volume to their own VMs. |
| 82 | + |
| 83 | +### Credits |
| 84 | + |
| 85 | +The CVEs are credited to the following reporters: |
| 86 | + |
| 87 | + - Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter) |
| 88 | + - Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter) |
| 89 | + - Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter) |
| 90 | + |
| 91 | +### Affected versions: |
| 92 | + |
| 93 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 94 | + |
| 95 | +### Resolution |
| 96 | + |
| 97 | +Users are recommended to upgrade to version 4.22.0.1 or later, which |
| 98 | +addresses these issues. |
| 99 | + |
| 100 | +## [CVE-2025-66467](https://www.cve.org/CVERecord?id=CVE-2025-66467): MinIO policy remains intact on bucket deletion |
| 101 | + |
| 102 | +Missing MinIO policy cleanup on bucket deletion via Apache CloudStack |
| 103 | +allows users to retain access to buckets which they previously |
| 104 | +owned. If another user creates a new bucket with the same name, the |
| 105 | +previous owners can gain unauthorized read and write access to it by |
| 106 | +using the previously generated access and secret keys. |
| 107 | + |
| 108 | +### Credits |
| 109 | + |
| 110 | +The CVEs are credited to the following reporters: |
| 111 | + |
| 112 | + - Roman Kozello <roman.kozello@gmail.com> (reporter) |
| 113 | + |
| 114 | +### Affected versions: |
| 115 | + |
| 116 | + - Apache CloudStack 4.19.0.0 through 4.20.2.0 |
| 117 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 118 | + |
| 119 | +### Resolution |
| 120 | + |
| 121 | +Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or |
| 122 | +later, which addresses these issues. |
| 123 | + |
| 124 | + |
| 125 | +## [CVE-2025-69233](https://www.cve.org/CVERecord?id=CVE-2025-69233): Domain/account resources limits not honored |
| 126 | + |
| 127 | +Due to multiple time-of-check time-of-use race conditions in the |
| 128 | +resource count check and increment logic, as well as missing |
| 129 | +validations, users of the platform are able to exceed the allocation |
| 130 | +limits configured for their accounts/domains. This can be used by an |
| 131 | +attacker to degrade the infrastructure's resources and lead to denial |
| 132 | +of service conditions. |
| 133 | + |
| 134 | +### Credits |
| 135 | + |
| 136 | +The CVEs are credited to the following reporters: |
| 137 | + |
| 138 | + - Fernando Oliveira <ferolicar82@gmail.com> (reporter) |
| 139 | + - Gustavo Viana <viana.gust@gmail.com> (reporter) |
| 140 | + |
| 141 | +### Affected versions: |
| 142 | + |
| 143 | + - Apache CloudStack 4.0.0 through 4.20.2.0 |
| 144 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 145 | + |
| 146 | +### Resolution |
| 147 | + |
| 148 | +Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or |
| 149 | +later, which addresses these issues. |
| 150 | + |
| 151 | + |
| 152 | +## [CVE-2026-25077](https://www.cve.org/CVERecord?id=CVE-2026-25077):Unauthenticated Command Injection in Direct Download Templates |
| 153 | + |
| 154 | +Account users are allowed by default to register templates to be |
| 155 | +downloaded directly to the primary storage for deploying instances |
| 156 | +using the KVM hypervisor. Due to missing file name sanitization, an |
| 157 | +attacker can register malicious templates to execute arbitrary code on |
| 158 | +the KVM hosts. This can result in the compromise of resource integrity |
| 159 | +and confidentiality, data loss, denial of service, and availability of |
| 160 | +the KVM-based infrastructure managed by CloudStack. |
| 161 | + |
| 162 | +### Credits |
| 163 | + |
| 164 | +The CVEs are credited to the following reporters: |
| 165 | + |
| 166 | + - Reza at HazardLab (https://hazardlab.ninja) (reporter) |
| 167 | + |
| 168 | + |
| 169 | +### Affected versions: |
| 170 | + |
| 171 | + - Apache CloudStack 4.11.0 through 4.20.2.0 |
| 172 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 173 | + |
| 174 | +### Resolution |
| 175 | + |
| 176 | +Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or |
| 177 | +later, which addresses the issue. |
| 178 | + |
| 179 | + |
| 180 | +## [CVE-2026-25199](https://www.cve.org/CVERecord?id=CVE-2026-25199): Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access |
| 181 | + |
| 182 | +The Proxmox extension for CloudStack improperly uses a user-editable |
| 183 | +instance setting, proxmox_vmid, to associate CloudStack instances with |
| 184 | +Proxmox virtual machines. Because this value is not restricted or |
| 185 | +validated against tenant ownership and Proxmox VM IDs are predictable, |
| 186 | +a non-privileged attacker can modify the setting to reference a VM |
| 187 | +belonging to another account. This allows unauthorized cross-tenant |
| 188 | +access and enables full control over the targeted VM, including |
| 189 | +starting, stopping, and destroying the virtual machine. |
| 190 | + |
| 191 | +### Credits |
| 192 | + |
| 193 | +The CVEs are credited to the following reporters: |
| 194 | + |
| 195 | + - Sander Grendelman <sander.grendelman@axians.com> (reporter) |
| 196 | + |
| 197 | +### Affected versions: |
| 198 | + |
| 199 | + - Apache CloudStack 4.21.0.0 through 4.22.0.0 |
| 200 | + |
| 201 | +### Resolution |
| 202 | + |
| 203 | +Users are recommended to upgrade to version 4.22.0.1 or later, which |
| 204 | +addresses these issues. |
| 205 | + |
| 206 | +As a workaround for the existing installations, editing of the |
| 207 | +proxmox_vmid instance detail by users can be prevented by adding this |
| 208 | +detail name to the global configuration parameter - |
| 209 | +user.vm.denied.details. |
| 210 | + |
| 211 | +## Downloads and Documentation |
| 212 | + |
| 213 | +The official source code for the 4.22.0.1 release can be downloaded |
| 214 | +from the project downloads page: |
| 215 | + |
| 216 | +https://cloudstack.apache.org/downloads |
| 217 | + |
| 218 | +The 4.22.0.1 release notes can be found at: |
| 219 | +- https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes/about.html |
| 220 | + |
| 221 | +In addition to the official source code release, individual |
| 222 | +contributors have also made release packages available on the Apache |
| 223 | +CloudStack download page, and available at: |
| 224 | + |
| 225 | +- https://download.cloudstack.org/el/8/ |
| 226 | +- https://download.cloudstack.org/el/9/ |
| 227 | +- https://download.cloudstack.org/el/10/ |
| 228 | +- https://download.cloudstack.org/suse/15/ |
| 229 | +- https://download.cloudstack.org/ubuntu/dists/ |
| 230 | +- https://www.shapeblue.com/cloudstack-packages/ |
0 commit comments