漏洞标题
Apache CloudStack:额外配置功能可能被滥用,以在VM实例上加载虚拟机监视器资源
漏洞描述信息
已发现CloudStack附加VM配置(extraconfig)功能存在一个漏洞,任何有权部署VM实例或配置已部署VM实例设置的用户都可能滥用此功能,在管理员未明确启用该功能的情况下配置附加VM配置。在基于KVM的CloudStack环境中,攻击者可以利用此问题将主机设备(如存储磁盘、网络适配器和GPU等PCI和USB设备)挂载到普通VM实例上,进而可能进一步利用该漏洞获取对基础网络和存储基础设施资源的访问权限,以及访问本地存储上的任何VM实例磁盘。
建议用户升级到版本4.18.1.1或4.19.0.1,以修复此问题。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
漏洞类别
授权机制不正确
漏洞标题
Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance
漏洞描述信息
A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network adapters and GPUs, in a regular VM instance that can be further exploited to gain access to the underlying network and storage infrastructure resources, and access any VM instance disks on the local storage.
Users are advised to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.
CVSS信息
N/A
漏洞类别
输入验证不恰当
漏洞标题
Apache CloudStack 输入验证错误漏洞
漏洞描述信息
Apache CloudStack是美国阿帕奇(Apache)基金会的一套基础架构即服务(IaaS)云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.18.1.1、4.19.0.1版本存在输入验证错误漏洞,该漏洞源于任何有权部署虚拟机实例或配置已部署虚拟机实例设置的人都可能会滥用附加虚拟机配置 (extraconfig) 功能来配置附加虚拟机配置。
CVSS信息
N/A
漏洞类别
输入验证错误