diff --git a/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg new file mode 100644 index 000000000..f1c11f86d Binary files /dev/null and b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/banner.jpg differ diff --git a/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md new file mode 100644 index 000000000..913608ca9 --- /dev/null +++ b/blog/2025-11-27-advisory-release-4.20.2.0-4.22.0.0/index.md @@ -0,0 +1,82 @@ +--- +layout: post +title: "[ADVISORY] Security Improvements in Apache CloudStack 4.20.2.0 and 4.22.0.0" +tags: [announcement] +authors: [harikrishna] +slug: cve-advisories-4.20.2.0-4.22.0.0 +--- + +[![](banner.jpg "Security Improvements in Apache CloudStack 4.20.2.0 and 4.22.0.0")](/blog/lts-release-advisory-4.20.2.0-4.22.0.0) + +The Apache CloudStack project announces the LTS release of [4.20.2.0](https://github.com/apache/cloudstack/releases/tag/4.20.2.0) and [4.22.0.0](https://github.com/apache/cloudstack/releases/tag/4.22.0.0) that address the following security issues: + +- CVE-2025-59302 (severity 'Low') +- CVE-2025-59454 (severity 'Low') + + + +## [CVE-2025-59302](https://www.cve.org/CVERecord?id=CVE-2025-59302): Potential remote code execution on Javascript engine defined rules + +In Apache CloudStack, improper control of generation of code ('Code Injection') vulnerability is found in the following APIs which are accessible only to admins. + +- quotaTariffCreate +- quotaTariffUpdate +- createSecondaryStorageSelector +- updateSecondaryStorageSelector +- updateHost +- updateStorage + +The fix introduces a new global configuration flag, js.interpretation.enabled, allowing administrators to control the interpretation of JavaScript expressions in these APIs, thereby mitigating the code injection risk. + +## [CVE-2025-59454](https://www.cve.org/CVERecord?id=CVE-2025-59454): Lack of user permission validation leading to data leak for few APIs + +In Apache CloudStack, a gap in access control checks affected the APIs + +- createNetworkACL +- listNetworkACLs +- listResourceDetails +- listVirtualMachinesUsageHistory +- listVolumesUsageHistory + +While these APIs were accessible only to authorized users, insufficient permission validation meant that users could occasionally access information beyond their intended scope. + +## Credits + +The CVEs are credited to the following reporters: + +- CVE-2025-59302: + - Tianyi Cheng + +- CVE-2025-59454: + - bugreporter@qq.com + +## Affected versions: + +- CVE-2025-59302: + - Apache CloudStack 4.18.0.0 through 4.20.1.0 and 4.21.0.0 + +- CVE-2025-59454: + - Apache CloudStack 4.0.0 through 4.20.1.0 and 4.21.0.0 + +## Resolution + +Users are recommended to upgrade to version 4.20.2.0, 4.22.0.0 or later, which addresses these issues. + +## Downloads and Documentation + +The official source code for the 4.20.2.0 and 4.22.0.0 releases can be downloaded from the project [downloads page](/downloads). + +The 4.20.2.0 and 4.22.0.0 release notes can be found at: + +- https://docs.cloudstack.apache.org/en/4.20.2.0/releasenotes/about.html +- https://docs.cloudstack.apache.org/en/4.22.0.0/releasenotes/about.html + +In addition to the official source code release, individual contributors have also made release packages available on the Apache CloudStack download page, and available at: + +- https://download.cloudstack.org/el/8/ +- https://download.cloudstack.org/el/9/ +- https://download.cloudstack.org/el/10/ +- https://download.cloudstack.org/suse/15/ +- https://download.cloudstack.org/ubuntu/dists/ +- https://download.cloudstack.org/debian/dists/ +- https://www.shapeblue.com/cloudstack-packages/