|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "[ADVISORY] Security Improvements in Apache CloudStack 4.20.2.0 and 4.22.0.0" |
| 4 | +tags: [announcement] |
| 5 | +authors: [harikrishna] |
| 6 | +slug: cve-advisories-4.20.2.0-4.22.0.0 |
| 7 | +--- |
| 8 | + |
| 9 | +[](/blog/lts-release-advisory-4.20.2.0-4.22.0.0) |
| 10 | + |
| 11 | +The Apache CloudStack project announces the LTS release of [4.20.2.0](https://github.com/apache/cloudstack/releases/tag/4.20.2.0) and [4.22.0.0](https://github.com/apache/cloudstack/releases/tag/4.22.0.0) that address the following security issues: |
| 12 | + |
| 13 | +- CVE-2025-59302 (severity 'Low') |
| 14 | +- CVE-2025-59454 (severity 'Low') |
| 15 | + |
| 16 | +<!-- truncate --> |
| 17 | + |
| 18 | +## [CVE-2025-59302](https://www.cve.org/CVERecord?id=CVE-2025-59302): Potential remote code execution on Javascript engine defined rules |
| 19 | + |
| 20 | +In Apache CloudStack, improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. |
| 21 | + |
| 22 | +- quotaTariffCreate |
| 23 | +- quotaTariffUpdate |
| 24 | +- createSecondaryStorageSelector |
| 25 | +- updateSecondaryStorageSelector |
| 26 | +- updateHost |
| 27 | +- updateStorage |
| 28 | + |
| 29 | +The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk. |
| 30 | + |
| 31 | +## [CVE-2025-59454](https://www.cve.org/CVERecord?id=CVE-2025-59454): Lack of user permission validation leading to data leak for few APIs |
| 32 | + |
| 33 | +In Apache CloudStack, a gap in access control checks affected the APIs |
| 34 | + |
| 35 | +- createNetworkACL |
| 36 | +- listNetworkACLs |
| 37 | +- listResourceDetails |
| 38 | +- listVirtualMachinesUsageHistory |
| 39 | +- listVolumesUsageHistory |
| 40 | + |
| 41 | +While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. |
| 42 | + |
| 43 | +## Credits |
| 44 | + |
| 45 | +The CVEs are credited to the following reporters: |
| 46 | + |
| 47 | +- CVE-2025-59302: |
| 48 | + - Tianyi Cheng <[email protected]> |
| 49 | + |
| 50 | +- CVE-2025-59454: |
| 51 | + - [email protected] <https://github.com/ai-bugreporter/Credits> |
| 52 | + |
| 53 | +## Affected versions: |
| 54 | + |
| 55 | +- CVE-2025-59302: |
| 56 | + - Apache CloudStack 4.18.0.0 through 4.20.1.0 and 4.21.0.0 |
| 57 | + |
| 58 | +- CVE-2025-59454: |
| 59 | + - Apache CloudStack 4.0.0 through 4.20.1.0 and 4.21.0.0 |
| 60 | + |
| 61 | +## Resolution |
| 62 | + |
| 63 | +Users are recommended to upgrade to version 4.20.2.0, 4.22.0.0 or later, which addresses these issues. |
| 64 | + |
| 65 | +## Downloads and Documentation |
| 66 | + |
| 67 | +The official source code for the 4.20.2.0 and 4.22.0.0 releases can be downloaded from the project [downloads page](/downloads). |
| 68 | + |
| 69 | +The 4.20.2.0 and 4.22.0.0 release notes can be found at: |
| 70 | + |
| 71 | +- https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes/about.html |
| 72 | +- https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes/about.html |
| 73 | + |
| 74 | +In addition to the official source code release, individual contributors have also made release packages available on the Apache CloudStack download page, and available at: |
| 75 | + |
| 76 | +- https://download.cloudstack.org/el/8/ |
| 77 | +- https://download.cloudstack.org/el/9/ |
| 78 | +- https://download.cloudstack.org/el/10/ |
| 79 | +- https://download.cloudstack.org/suse/15/ |
| 80 | +- https://download.cloudstack.org/ubuntu/dists/ |
| 81 | +- https://download.cloudstack.org/debian/dists/ |
| 82 | +- https://www.shapeblue.com/cloudstack-packages/ |
0 commit comments