On March 3, 2019, Rio Sherri from MDSec discovered, and responsibily disclosed, an unauthenticated remote command execution (RCE) vulnerability in CloudTest, that affects all versions prior to 58.30. This vulnerability has been assigned to CVE-2019-11011.
The discovered vulnerability existed due to an unsafe Java deserialization between certain parameters. After extensive testing, Akamai released a patch on March 7, 2019 and made it available to all CloudTest customers.
Akamai strongly urges customers that have not already updated their hosted or on-premise installations of CloudTest to version 58.30 or later, to apply the available patches as soon as possible. Customers using CloudTest On-Demand do not need to take any action, as updates have already been applied.
While Akamai has seen no evidence suggesting this vulnerability has been misused or exploited in any customer's CloudTest installation, a vulnerability of this nature should be treated as urgent and addressed quickly.
CloudTest can be installed on-premise or on-cloud. For on-premise installs, the exposure to CVE-2019-11011 is limited to network traffic behind the firewall and commands that can be executed within a Docker container. On-cloud installs are exposed via network traffic with access to the CloudTest servers, as well as commands that can be executed within a Docker container.
Once more, customers are strongly encouraged to update, as upgrading to version 58.30 will resolve this issue. Customers using CloudTest on-demand do not need to take any action.
Akamai wishes to thank Rio Sherri and MDSec for responsibility disclosing this issue.