Credit: This issue was discovered and reported by "v3ged0ge". Updated: https://blogs.apache.org/cloudstack/entry/cve-2022-35741
Regards. On Mon, Jul 18, 2022 at 7:17 PM Rohit Yadav <ro...@apache.org> wrote: > > Apache CloudStack version 4.5.0 and later has a SAML 2.0 > authentication Service Provider plugin which is found to be vulnerable > to XML external entity (XXE) injection. This plugin is not enabled by > default and the attacker would require that this plugin be enabled to > exploit the vulnerability. When the SAML 2.0 plugin is enabled in > affected versions of Apache CloudStack could potentially allow the > exploitation of XXE vulnerabilities. > > The SAML 2.0 messages constructed during the authentication flow in > Apache CloudStack are XML-based and the XML data is parsed by various > standard libraries that are now understood to be vulnerable to XXE > injection attacks such as arbitrary file reading, possible denial of > service, server-side request forgery (SSRF) on the CloudStack > management server. > > As of 18th July 2022, this is now tracked under CVE-2022-35741: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35741 > > To mitigate the risk, a CloudStack admin can do any of the following: > > 1. Disable the SAML 2.0 plugin by setting `saml2.enabled` to false and > restart the management servers. > > 2. Upgrade to Apache CloudStack 4.16.1.1 or 4.17.0.1 or higher. > > --
