The CloudStack security team recently received notice of a significant vulnerability in a CloudStack API call - registerUserKeys. The original intention for this call was for it to only be exposed for integration work - eg not to the public network in general. A weakness in the API call's implementation allows a malicious user to reset the API keys for other users on the system, thus accessing resources and services available to that user. We have released CloudStack versions 4.8.1.1 and 4.9.0.1 with patches for this issue. More details about the release can be read on the official announcement post.

Some users may be protected from this weakness already, if they have configured their commands.properties file to limit access to this api call from the integration API port, instead of general API port. This can be accomplished by setting registerUserKeys to 1.

Users of Apache CloudStack version 4.9 whom are using the dynamic roles feature can delete the "Allow" rule for "registerUserKeys" for each non-administrator role under the Roles/Rules section of the user interface.

Credit:

This vulnerability was reported by Marc-Aurèle Brothier from Exoscale.