Impact

The ZStack Cloud releases before 3.10.38(included) are vulnerable to unauthorized access.

Patches

The problem already patched in ZStack 3.10.40 and all further versions (ZStack Cloud 4.x are not vulnerable).

Workarounds

We strongly suggest users upgrade to patched versions.

If you have a Web Application Firewall(WAF), filter requests GET /calls/uuids could reduce the impact of this vulnerability.

if you do not have a WAF, iptables could be an alternative(make sure running bellow command on all management node)

iptables -I INPUT -i br_eth0 -p tcp --dport 5000 -m string --string “/calls/uuids” --algo kmp -j DROP

replace br_eth0 and 5000 to corresponding network interface and port number

For more information

If you have any questions or comments about this advisory:

• Contact our support ZStack
• Open an issue in ZStack Github Repo
• Email us at [email protected]