Severity
High
Analysis Summary
CVE-2024-39864 CVSS:9.8
Apache CloudStack could allow a remote attacker to execute arbitrary code on the system, caused by a code injection flaw when configured and enabled via integration.api.port global setting. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on CloudStack managed hosts.
CVE-2024-38346 CVSS:9.8
Apache CloudStack could allow a remote attacker to execute arbitrary code on the system, caused by a command injection flaw in the unauthenticated port (default 9090). By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on CloudStack managed hosts.
CVE-2024-34750 CVSS:7.5
Apache Tomcat is vulnerable to a denial of service, caused by a flaw when processing an HTTP/2 stream. By sending specially crafted HTTP headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Impact
- Denial of Service
- Gain Access
- Code Execution
Indicators of Compromise
CVE
- CVE-2024-39864
- CVE-2024-38346
- CVE-2024-34750
Affected Vendors
Affected Products
- Apache CloudStack 4.19.0.0
- Apache CloudStack 4.19.0.1
- Apache CloudStack 4.18.2.0
- Apache Tomcat 9.0.89
- Apache Tomcat 10.1.24
- Apache Tomcat 11.0.0-M20
Remediation
Upgrade to the latest version of Apache Product, available from the Apache Website.