The Apache CloudStack Blog

Friday October 13, 2017

Dnsmasq Vulnerabilities Advisory for CloudStack

Recently, a number of security flaws were recently found in the DNSMasq tool. This tool is used by many systems to provide DNS and DHCP services, including by the CloudStack System VMs.

According to Google’s investigation into the software, out of seven issues, three — CVE-2017-14491, CVE-2017-14492, and CVE-2017-14493 — are remote code execution flaws caused by heap buffer overflow and stack buffer overflow errors through DHCP and DNS vectors.

Another issue, CVE-2017-14494, can be exploited to bypass the Address space layout randomization (ASLR) memory protection function, leading to information leaks.

In addition, three more bugs, CVE-2017-14495, CVE-2017-14496, and CVE-2017-13704, can lead to denial-of-service (DoS) attacks caused by invalid boundary checks, bug collision, and a coding issue.

Affect On CloudStack

CloudStack’s System VMs use DNSMasq to provide DNS and DHCP services to the guest VMs from the virtual routers. These services are only exposed on the internal guest interface(s) of the virtual routers. Therefore a malicious user could compromise a virtual router to which they have a guest instance attached.

The Fix

On 9th October, an updated version of DNSMasq was released by the authors of DNSMasq for the Debian Wheezy Operating System which the CloudStack System VMs use. We have created new versions of the System VM templates which should be used to replace your existing System VMs using the procedure described below.

A short-term fix for currently running System VMs (if they have internet access) is to log into the System VMs and run:

apt-get update
apt-get upgrade dnsmasq -y

For information on logging into System VMs please see:

The above procedure will patch existing virtual routers, but should a virtual router be destroyed and recreated or a new virtual router created, the subsequent virtual router will no longer be patched.

The full fix is to replace the existing System VM template(s) with the latest patched versions as well as recreating or patch existing virtual routers.

System VM Patching Procedure

New System VM templates with updated DNSMasq for major CloudStack versions for XenServer, VMware and KVM hypervisors have been built. We advise CloudStack users to upgrade to the appropriate System VM template and either;

Patch all existing virtual routers using the procedure above or recreate all virtual routers using the procedure detailed in the link for updating system VM templates (below)
For ACS 4.10+:
For ACS 4.6-4.9:

The procedure for updating the system VM templates can be found at


Thanks for the patch!

Posted by addy on October 29, 2017 at 01:14 AM UTC #

i have using cloudstack on localhost with phpmyadmin the sample acces address: CloudStack is a very easy to use cloud management system. Many companies in this forum also sell VDS with Wmware under cloud server name. We will give you the Cloud billing system that we use today. We wanted to share because nobody shared the forum. The DigitalOcean customer panel is actually very similar. Lakin is still in beta and not fully developed. We recommend your visit.

Posted by localhost/phpmyadmin on November 01, 2017 at 04:47 PM UTC #

Post a Comment:
  • HTML Syntax: NOT allowed



Hot Blogs (today's hits)

Tag Cloud