The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
Apache CloudStack versions 4.1.0, 4.1.1, and 4.2.0 have an issue where their virtual router accidentally allows additional access during firewall starting and stopping.