CVE-2024-45462
📋 TL;DR
This CVE describes a session expiration vulnerability in Apache CloudStack's web interface where logout doesn't properly invalidate user sessions. An attacker with access to a user's browser can reuse unexpired sessions to access the logged-out user's resources. This affects CloudStack versions 4.15.1.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1.
💻 Affected Systems
- Apache CloudStack
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical or remote access to a user's browser could gain full administrative access to CloudStack infrastructure, potentially compromising virtual machines, networks, and storage resources.
Likely Case
Attackers with access to shared or public computers could hijack sessions of previously logged-in users to access their CloudStack resources and perform unauthorized actions.
If Mitigated
With proper access controls, session management, and browser security, impact is limited to temporary unauthorized access until sessions naturally expire or services restart.
🎯 Exploit Status
Exploitation requires access to the user's browser session, which could be obtained through various means including physical access, malware, or cross-site scripting attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.18.2.4 or 4.19.1.2 or later
Vendor Advisory: https://cloudstack.apache.org/blog/security-release-advisory-4.18.2.4-4.19.1.2
Restart Required: Yes
Instructions:
1. Backup your CloudStack configuration and database. 2. Download the patched version from Apache CloudStack website. 3. Follow the official upgrade guide for your version. 4. Restart CloudStack management server and all affected services.
🔧 Temporary Workarounds
Force Session Expiry on Logout
allImplement custom logout handling to explicitly invalidate sessions server-side
# Requires custom development to modify logout behavior
Reduce Session Timeout
allConfigure shorter session timeout values to limit exposure window
# Modify session.timeout in CloudStack configuration files
🧯 If You Can't Patch
- Implement strict browser security policies and educate users to always close browsers after logout
- Deploy additional authentication layers and monitor for unusual session activity
🔍 How to Verify
Check if Vulnerable:
Check CloudStack version via management server UI or query database for version informationCheck Version:
# Check via CloudStack API or database: SELECT version FROM versionVerify Fix Applied:
After upgrade, test logout functionality and verify sessions are properly invalidated📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same session ID after logout events
- Unusual resource access patterns following user logout
Network Indicators:
- Session tokens being reused after logout requests
SIEM Query:
session_id:* AND event_type:logout AND (later event_type:api_call WITH same session_id)