CVE-2024-50386: 
Apache CloudStack vulnerability analysis and mitigation

CVE-2024-50386 affects Apache CloudStack versions 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2. The vulnerability allows account users to register templates that can be downloaded directly to primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates, attackers can exploit this to deploy malicious instances on KVM-based environments (CloudStack Blog, Security Online).

The vulnerability stems from insufficient validation checks in CloudStack's template registration process. When templates are registered and downloaded to primary storage using the LocalFileSystemRepository (the default for backups), malicious templates can be used to compromise the host filesystem. The vulnerability has received a CVSS v3.1 base score of 8.5 (High) from Apache Software Foundation and 9.9 (Critical) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could lead to compromise of resource integrity and confidentiality, data loss, denial of service, and potential compromise of the entire KVM-based infrastructure managed by CloudStack. The attacker could gain access to host filesystems, potentially leading to complete system compromise (OSS Security, ShapeBlue Advisory).

Users are strongly recommended to upgrade to Apache CloudStack versions 4.18.2.5 or 4.19.1.3 or later. Additionally, administrators should scan all user-registered KVM-compatible templates to ensure they are flat files without unnecessary features. Specific commands are provided to check for potential host filesystem compromises and examine template/volume features. Users on versions older than 4.19.1.0 should skip directly to 4.19.1.3 (CloudStack Blog, ShapeBlue Advisory).