CVE-2024-38346 – This critical vulnerability in Apache CloudStac... (How to Fix)

Q: What is the severity of CVE-2024-38346?

CVE-2024-38346 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in Apache CloudStack allows unauthenticated attackers to execute arbitrary commands on hypervisors and management servers via the cluster service port (default 9090). It affects CloudStack deployments with the vulnerable cluster service exposed, potentially leading to complete infrastructure compromise.

📋 TL;DR

This critical vulnerability in Apache CloudStack allows unauthenticated attackers to execute arbitrary commands on hypervisors and management servers via the cluster service port (default 9090). It affects CloudStack deployments with the vulnerable cluster service exposed, potentially leading to complete infrastructure compromise.

💻 Affected Systems

Products:

Apache CloudStack

Versions: All versions before 4.18.2.1 and 4.19.0.2

Operating Systems: All platforms running CloudStack

Default Config Vulnerable: ⚠️ Yes

Notes: The cluster service runs on port 9090 by default without authentication. All CloudStack deployments using the cluster service are affected unless patched or properly segmented.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CloudStack managed infrastructure including hypervisors, management servers, and all hosted virtual machines, leading to data theft, service disruption, and lateral movement.

🟠

Likely Case

Remote code execution on CloudStack management servers and hypervisors, allowing attackers to deploy malware, steal credentials, and disrupt cloud operations.

🟢

If Mitigated

Limited to internal network if proper network segmentation is implemented, with no impact if patched or service is not exposed.

🌐 Internet-Facing: HIGH - The default configuration exposes the vulnerable service on port 9090 without authentication, making internet-facing deployments extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, any attacker with network access to port 9090 can exploit this without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to port 9090 with no authentication. The vulnerability is in command injection in cluster service commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.18.2.1 or 4.19.0.2 or later

Vendor Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1

Restart Required: Yes

Instructions:

1. Backup your CloudStack configuration and database. 2. Download the patched version from Apache CloudStack website. 3. Stop CloudStack services. 4. Apply the patch or upgrade to the fixed version. 5. Restart CloudStack services. 6. Verify the upgrade was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to cluster service port 9090 to only trusted CloudStack management server peers using firewall rules.

iptables -A INPUT -p tcp --dport 9090 -s <trusted_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate CloudStack management servers and restrict access to port 9090 only to required peer systems.
Deploy network-based intrusion detection/prevention systems to monitor and block suspicious traffic to port 9090.

🔍 How to Verify

Check if Vulnerable:

Check if CloudStack version is below 4.18.2.1 or 4.19.0.2 and if port 9090 is accessible from untrusted networks.

Check Version:

cloudstack-setup-databases --version

Verify Fix Applied:

Verify CloudStack version is 4.18.2.1, 4.19.0.2 or later and test that command injection attempts on port 9090 are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual commands executed via cluster service
Multiple connection attempts to port 9090 from unauthorized sources
Error logs showing command injection attempts

Network Indicators:

Unusual traffic patterns to port 9090
Command injection payloads in network traffic to port 9090
Connections to port 9090 from non-peer systems

SIEM Query:

source_port:9090 AND (payload_contains:"$" OR payload_contains:"|" OR payload_contains:";" OR payload_contains:"`")

📊 Metadata

CVE ID: CVE-2024-38346

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: July 5, 2024

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2024/07/05/1 Mailing List
https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1 Release Notes
https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1 Mailing List
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/ Release Notes
http://www.openwall.com/lists/oss-security/2024/07/05/1 Mailing List
https://cloudstack.apache.org/blog/security-release-advisory-4.19.0.2-4.18.2.1 Release Notes
https://lists.apache.org/thread/6l51r00csrct61plkyd3qg3fj99215d1 Mailing List
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-1-and-4-19-0-2/ Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38346, you might also want to check these: