Re: [ADVISORY] Apache CloudStack SAML Single Sign-On XXE (CVE-2022-35741)

[Rohit Yadav <rohit () apache org>]

Credit: This issue was discovered and reported by "v3ged0ge".

Updated: https://blogs.apache.org/cloudstack/entry/cve-2022-35741

Regards.

On Mon, Jul 18, 2022 at 7:20 PM Rohit Yadav <rohit () apache org> wrote:
> Apache CloudStack version 4.5.0 and later has a SAML 2.0
> authentication Service Provider plugin which is found to be vulnerable
> to XML external entity (XXE) injection. This plugin is not enabled by
> default and the attacker would require that this plugin be enabled to
> exploit the vulnerability. When the SAML 2.0 plugin is enabled in
> affected versions of Apache CloudStack could potentially allow the
> exploitation of XXE vulnerabilities.
>
> The SAML 2.0 messages constructed during the authentication flow in
> Apache CloudStack are XML-based and the XML data is parsed by various
> standard libraries that are now understood to be vulnerable to XXE
> injection attacks such as arbitrary file reading, possible denial of
> service, server-side request forgery (SSRF) on the CloudStack
> management server.
>
> As of 18th July 2022, this is now tracked under CVE-2022-35741:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35741
>
> To mitigate the risk, a CloudStack admin can do any of the following:
>
> 1. Disable the SAML 2.0 plugin by setting `saml2.enabled` to false and
> restart the management servers.
>
> 2. Upgrade to Apache CloudStack 4.16.1.1 or 4.17.0.1 or higher.
>
> --