CVE-2024-45219 – Apache CloudStack has a vulnerability where use... (How to Fix)

Q: What is the severity of CVE-2024-45219?

CVE-2024-45219 has a CVSS score of 8.5 (HIGH). Apache CloudStack has a vulnerability where users can upload malicious KVM-compatible templates or volumes that bypass validation checks. This allows attackers to gain access to host filesystems, compromising data integrity and availability. Affected versions are 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1.

📋 TL;DR

Apache CloudStack has a vulnerability where users can upload malicious KVM-compatible templates or volumes that bypass validation checks. This allows attackers to gain access to host filesystems, compromising data integrity and availability. Affected versions are 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1.

💻 Affected Systems

Products:

Apache CloudStack

Versions: 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1

Operating Systems: Any OS running CloudStack with KVM hypervisor

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects KVM-based environments. Other hypervisors like VMware, Xen, Hyper-V are not affected.

📦 What is this software?

Cloudstack by Apache

View all CVEs affecting Cloudstack →

Cloudstack by Apache

View all CVEs affecting Cloudstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of KVM-based infrastructure managed by CloudStack, leading to data loss, denial of service, and unauthorized access to all hosted systems.

🟠

Likely Case

Attackers gain access to host filesystems, potentially compromising multiple virtual machines and sensitive data.

🟢

If Mitigated

Limited impact if proper scanning and validation of uploaded templates/volumes is implemented alongside network segmentation.

🌐 Internet-Facing: HIGH - CloudStack management interfaces are often internet-facing, allowing remote attackers to exploit this vulnerability.

🏢 Internal Only: HIGH - Even internal attackers with user accounts can exploit this to escalate privileges and compromise infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated user access to upload templates/volumes. Exploitation involves creating malicious disk images that reference host filesystems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.18.2.4 or 4.19.1.2

Vendor Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Download patched version from Apache CloudStack website. 3. Stop CloudStack services. 4. Apply patch or upgrade to fixed version. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Scan existing templates and volumes

linux

Scan secondary storage for malicious disk images using qemu-img to detect host filesystem references

for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done

Comprehensive disk feature analysis

linux

Check all template/volume features for each disk to identify suspicious configurations

for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done

🧯 If You Can't Patch

Restrict template/volume upload permissions to trusted administrators only
Implement strict network segmentation between CloudStack management and production environments

🔍 How to Verify

Check if Vulnerable:

Check CloudStack version: if between 4.0.0-4.18.2.3 or 4.19.0.0-4.19.1.1, system is vulnerable

Check Version:

Check CloudStack version in management interface or via 'cloudstack-setup-databases --version' command

Verify Fix Applied:

Verify version is 4.18.2.4 or higher, or 4.19.1.2 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual template/volume upload activity from non-admin users
Multiple failed deployment attempts with custom templates
Unexpected host filesystem access patterns

Network Indicators:

Unusual outbound connections from CloudStack hosts
Unexpected network traffic between VMs and host systems

SIEM Query:

source="cloudstack" AND (event="template.upload" OR event="volume.upload") AND user!="admin"

📊 Metadata

CVE ID: CVE-2024-45219

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-20

Published: October 16, 2024

Last Updated: July 1, 2025

🔗 References

https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2 Vendor Advisory
https://lists.apache.org/thread/ktsfjcnj22x4kg49ctock3d9tq7jnvlo Mailing List,Vendor Advisory
https://www.shapeblue.com/shapeblue-security-advisory-apache-cloudstack-security-releases-4-18-2-4-and-4-19-1-2/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/10/15/2 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45219, you might also want to check these: