Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance

A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network adapters and GPUs, in a regular VM instance that can be further exploited to gain access to the underlying network and storage infrastructure resources, and access any VM instance disks on the local storage. Users are advised to upgrade to version 4.18.1.1 or 4.19.0.1, which fixes this issue.

N/A

输入验证不恰当

Apache CloudStack 输入验证错误漏洞

Apache CloudStack是美国阿帕奇（Apache）基金会的一套基础架构即服务（IaaS）云计算平台。该平台主要用于部署和管理大型虚拟机网络。 Apache CloudStack 4.18.1.1、4.19.0.1版本存在输入验证错误漏洞，该漏洞源于任何有权部署虚拟机实例或配置已部署虚拟机实例设置的人都可能会滥用附加虚拟机配置 (extraconfig) 功能来配置附加虚拟机配置。

N/A

N/A