Skip to content

Commit c424e73

Browse files
DaanHooglandDaan Hoogland
andauthored
security release 20.3 and 22.0.1 announcement
Co-authored-by: Daan Hoogland <dahn@apache.org>
1 parent fa447de commit c424e73

2 files changed

Lines changed: 230 additions & 0 deletions

File tree

503 KB
Loading
Lines changed: 230 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,230 @@
1+
---
2+
layout: post
3+
title: "[ADVISORY] Apache CloudStack LTS Security Releases 4.20.3.0 and 4.22.0.1"
4+
tags: [announcement]
5+
authors: [daan]
6+
slug: security-release-advisory-4.20.3.0-4.22.0.1
7+
---
8+
9+
[![](banner.png "Apache CloudStack LTS Security Releases 4.20.3.0 and 4.22.0.1")](/blog/security-release-advisory-4.20.3.0-4.22.0.1)
10+
11+
The Apache CloudStack project announces the release of LTS releases [4.20.3.0](https://github.com/apache/cloudstack/releases/tag/4.20.3.0) and [4.22.0.1](https://github.com/apache/cloudstack/releases/tag/4.22.0.1) that address the following security issues:
12+
13+
- CVE-2025-66170 (severity 'Low')
14+
- CVE-2025-66171 (severity 'Important')
15+
- CVE-2025-66172 (severity 'Important')
16+
- CVE-2025-66467 (severity 'Important')
17+
- CVE-2025-69233 (severity 'Moderate')
18+
- CVE-2026-25077 (severity 'Important')
19+
- CVE-2026-25199 (severity 'Moderate')
20+
21+
22+
<!-- truncate -->
23+
24+
## [CVE-2025-66170](https://www.cve.org/CVERecord?id=CVE-2025-66170): Any user can list backups that they should not have access to.
25+
26+
The CloudStack Backup plugin has an improper authorization logic in
27+
versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account
28+
access in CloudStack 4.21.0.0+ environments, where this plugin is
29+
enabled and have access to specific APIs can list backups from any
30+
account in the environment. This vulnerability does not allow them to
31+
see the contents of the backup.
32+
33+
### Credits
34+
35+
The CVEs are credited to the following reporters:
36+
37+
- Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter)
38+
- Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter)
39+
- Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter)
40+
41+
### Affected versions:
42+
43+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
44+
45+
### Resolution
46+
47+
Users are recommended to upgrade to version 4.22.0.1 or later, which
48+
addresses these issues.
49+
50+
## [CVE-2025-66171](https://www.cve.org/CVERecord?id=CVE-2025-66171): Any user can create a new VM from backups they should not have access to
51+
52+
The CloudStack Backup plugin has an improper access logic in versions
53+
4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access
54+
in CloudStack 4.21.0.0+ environments, where this plugin is enabled and
55+
have access to specific APIs can create new VMs using backups of any
56+
other user of the environment.
57+
58+
### Credits
59+
60+
The CVEs are credited to the following reporters:
61+
62+
- Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter)
63+
- Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter)
64+
- Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter)
65+
66+
### Affected versions:
67+
68+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
69+
70+
### Resolution
71+
72+
Users are recommended to upgrade to version 4.22.0.1 or later, which
73+
addresses these issues.
74+
75+
## [CVE-2025-66172](https://www.cve.org/CVERecord?id=CVE-2025-66172): Any user can attach a volume in their VMs from backups they should not have access to
76+
77+
The CloudStack Backup plugin has an improper access logic in versions
78+
4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access
79+
in CloudStack 4.21.0.0+ environments, where this plugin is enabled and
80+
have access to specific APIs can restore a volume from any other
81+
user's backups and attach the volume to their own VMs.
82+
83+
### Credits
84+
85+
The CVEs are credited to the following reporters:
86+
87+
- Fabricio Duarte <fabricio.duarte.jr@gmail.com> (reporter)
88+
- Gabriel Ortiga Fernandes <gabriel.ortiga@hotmail.com> (reporter)
89+
- Gabriel Pordeus Santos <gabrielpordeus@gmail.com> (reporter)
90+
91+
### Affected versions:
92+
93+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
94+
95+
### Resolution
96+
97+
Users are recommended to upgrade to version 4.22.0.1 or later, which
98+
addresses these issues.
99+
100+
## [CVE-2025-66467](https://www.cve.org/CVERecord?id=CVE-2025-66467): MinIO policy remains intact on bucket deletion
101+
102+
Missing MinIO policy cleanup on bucket deletion via Apache CloudStack
103+
allows users to retain access to buckets which they previously
104+
owned. If another user creates a new bucket with the same name, the
105+
previous owners can gain unauthorized read and write access to it by
106+
using the previously generated access and secret keys.
107+
108+
### Credits
109+
110+
The CVEs are credited to the following reporters:
111+
112+
- Roman Kozello <roman.kozello@gmail.com> (reporter)
113+
114+
### Affected versions:
115+
116+
- Apache CloudStack 4.19.0.0 through 4.20.2.0
117+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
118+
119+
### Resolution
120+
121+
Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or
122+
later, which addresses these issues.
123+
124+
125+
## [CVE-2025-69233](https://www.cve.org/CVERecord?id=CVE-2025-69233): Domain/account resources limits not honored
126+
127+
Due to multiple time-of-check time-of-use race conditions in the
128+
resource count check and increment logic, as well as missing
129+
validations, users of the platform are able to exceed the allocation
130+
limits configured for their accounts/domains. This can be used by an
131+
attacker to degrade the infrastructure's resources and lead to denial
132+
of service conditions.
133+
134+
### Credits
135+
136+
The CVEs are credited to the following reporters:
137+
138+
- Fernando Oliveira <ferolicar82@gmail.com> (reporter)
139+
- Gustavo Viana <viana.gust@gmail.com> (reporter)
140+
141+
### Affected versions:
142+
143+
- Apache CloudStack 4.0.0 through 4.20.2.0
144+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
145+
146+
### Resolution
147+
148+
Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or
149+
later, which addresses these issues.
150+
151+
152+
## [CVE-2026-25077](https://www.cve.org/CVERecord?id=CVE-2026-25077):Unauthenticated Command Injection in Direct Download Templates
153+
154+
Account users are allowed by default to register templates to be
155+
downloaded directly to the primary storage for deploying instances
156+
using the KVM hypervisor. Due to missing file name sanitization, an
157+
attacker can register malicious templates to execute arbitrary code on
158+
the KVM hosts. This can result in the compromise of resource integrity
159+
and confidentiality, data loss, denial of service, and availability of
160+
the KVM-based infrastructure managed by CloudStack.
161+
162+
### Credits
163+
164+
The CVEs are credited to the following reporters:
165+
166+
- Reza at HazardLab (https://hazardlab.ninja) (reporter)
167+
168+
169+
### Affected versions:
170+
171+
- Apache CloudStack 4.11.0 through 4.20.2.0
172+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
173+
174+
### Resolution
175+
176+
Users are recommended to upgrade to version 4.20.3.0 or 4.22.0.1 or
177+
later, which addresses the issue.
178+
179+
180+
## [CVE-2026-25199](https://www.cve.org/CVERecord?id=CVE-2026-25199): Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access
181+
182+
The Proxmox extension for CloudStack improperly uses a user-editable
183+
instance setting, proxmox_vmid, to associate CloudStack instances with
184+
Proxmox virtual machines. Because this value is not restricted or
185+
validated against tenant ownership and Proxmox VM IDs are predictable,
186+
a non-privileged attacker can modify the setting to reference a VM
187+
belonging to another account. This allows unauthorized cross-tenant
188+
access and enables full control over the targeted VM, including
189+
starting, stopping, and destroying the virtual machine.
190+
191+
### Credits
192+
193+
The CVEs are credited to the following reporters:
194+
195+
- Sander Grendelman <sander.grendelman@axians.com> (reporter)
196+
197+
### Affected versions:
198+
199+
- Apache CloudStack 4.21.0.0 through 4.22.0.0
200+
201+
### Resolution
202+
203+
Users are recommended to upgrade to version 4.22.0.1 or later, which
204+
addresses these issues.
205+
206+
As a workaround for the existing installations, editing of the
207+
proxmox_vmid instance detail by users can be prevented by adding this
208+
detail name to the global configuration parameter -
209+
user.vm.denied.details.
210+
211+
## Downloads and Documentation
212+
213+
The official source code for the 4.22.0.1 release can be downloaded
214+
from the project downloads page:
215+
216+
https://cloudstack.apache.org/downloads
217+
218+
The 4.22.0.1 release notes can be found at:
219+
- https://docs.cloudstack.apache.org/en/4.22.0.1/releasenotes/about.html
220+
221+
In addition to the official source code release, individual
222+
contributors have also made release packages available on the Apache
223+
CloudStack download page, and available at:
224+
225+
- https://download.cloudstack.org/el/8/
226+
- https://download.cloudstack.org/el/9/
227+
- https://download.cloudstack.org/el/10/
228+
- https://download.cloudstack.org/suse/15/
229+
- https://download.cloudstack.org/ubuntu/dists/
230+
- https://www.shapeblue.com/cloudstack-packages/

0 commit comments

Comments
 (0)