Apache CloudStack Code Injection Vulnerability Allowing Potential Remote Code Execution

A code injection vulnerability has been identified in Apache CloudStack versions 4.18.0 prior to 4.20.2 and 4.21.0 prior to 4.22.0. This vulnerability, which could lead to remote code execution, arises from improper control over code generation in specific APIs in the management server. The affected APIs, accessible only to administrators, include quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage.

Impact

Exploitation of this vulnerability could allow for remote code execution on the server where Apache CloudStack is running.

Remediation

Users are advised to upgrade to Apache CloudStack versions 4.20.2 or 4.22.0, which include the necessary fix. The fix introduces a global configuration flag, js.interpretation.enabled, that allows administrators to control the interpretation of JavaScript expressions in the affected APIs, thereby reducing the risk of code injection.