Description:
Summary
Multiple instances of credential leakage vulnerabilities have been identified in the codebase where sensitive information (passwords, database credentials, authentication tokens) are being logged directly or exposed through exception messages.
Severity
High - Credentials exposed in logs can be accessed by unauthorized users with log file access, potentially leading to system compromise.
Vulnerability Details
1. Direct Logging of Credentials
The following locations directly log sensitive credentials:
-
UriUtils.java (Line 504)
|
LOGGER.info("Added username=" + user + ", password=" + password + "for host " + hostAndPort.first() + ":" + hostAndPort.second()); |
- Issue: Logs URI containing credentials
-
HttpTemplateDownloader.java (Line 154)
|
logger.info("Added username=" + user + ", password=" + password + "for host " + hostAndPort.first() + ":" + hostAndPort.second()); |
- Issue: Logs HTTP authentication credentials
-
BaremetalDnsmasqResource.java (Line 49)
|
logger.debug(String.format("Trying to connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s)", _ip, _username, _password)); |
- Issue: Logs baremetal service credentials
-
DatabaseCreator.java (Line 102)
|
System.out.println(String.format("========> Initializing database=%s with host=%s port=%s username=%s password=%s", dbName, host, port, username, password)); |
- Issue: Logs database password
2. Credential Exposure through Exception Messages
The following locations expose credentials through exception handling:
-
BaremetalDnsmasqResource.java (Line 52)
|
throw new ConfigurationException(String.format("Cannot connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
-
BaremetalKickStartPxeResource.java (Lines 134, 170)
|
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
|
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
-
BaremetalPingPxeResource.java (Lines 154, 182, 240)
|
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
|
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
|
throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password)); |
-
ConsoleProxyResource.java (Line 334)
|
logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", encryptorPassword); |
Correct Implementation Reference
The codebase already contains proper credential masking implementations that should be followed:
- BaremetalKickStartPxeResource.java (Lines 55, 60)
- Line 55:
|
logger.debug(String.format("Trying to connect to kickstart PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******")); |
- Line 60:
|
throw new ConfigurationException(String.format("Cannot connect to kickstart PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******")); |
- These lines demonstrate proper password masking before logging
Recommended Fix
- Mask credentials before logging: Replace actual passwords/credentials with masked values (e.g.,
****** or [REDACTED])
- Sanitize exception messages: Ensure exception messages don't contain sensitive data before throwing
- Use utility methods: Create/use existing utility methods for credential masking consistently across the codebase
- Code review: Audit all logging statements for potential credential exposure
Example Fix Pattern
// Before (vulnerable)
logger.debug("Connecting with password: " + password);
// After (secure)
logger.debug("Connecting with password: ******");
Impact
- Credentials in log files can be accessed by system administrators, log aggregation systems, or attackers who gain log file access
- Violates security best practices and compliance requirements (PCI-DSS, GDPR, etc.)
- Increases attack surface for credential theft
References
Description:
Summary
Multiple instances of credential leakage vulnerabilities have been identified in the codebase where sensitive information (passwords, database credentials, authentication tokens) are being logged directly or exposed through exception messages.
Severity
High - Credentials exposed in logs can be accessed by unauthorized users with log file access, potentially leading to system compromise.
Vulnerability Details
1. Direct Logging of Credentials
The following locations directly log sensitive credentials:
UriUtils.java (Line 504)
cloudstack/utils/src/main/java/com/cloud/utils/UriUtils.java
Line 504 in 15c2e50
HttpTemplateDownloader.java (Line 154)
cloudstack/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java
Line 154 in 15c2e50
BaremetalDnsmasqResource.java (Line 49)
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalDnsmasqResource.java
Line 49 in 15c2e50
DatabaseCreator.java (Line 102)
cloudstack/engine/schema/src/main/java/com/cloud/upgrade/DatabaseCreator.java
Line 102 in 15c2e50
2. Credential Exposure through Exception Messages
The following locations expose credentials through exception handling:
BaremetalDnsmasqResource.java (Line 52)
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalDnsmasqResource.java
Line 52 in 15c2e50
BaremetalKickStartPxeResource.java (Lines 134, 170)
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java
Line 134 in 15c2e50
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java
Line 170 in 15c2e50
BaremetalPingPxeResource.java (Lines 154, 182, 240)
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java
Line 154 in 15c2e50
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java
Line 182 in 15c2e50
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java
Line 240 in 15c2e50
ConsoleProxyResource.java (Line 334)
cloudstack/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
Line 334 in 15c2e50
Correct Implementation Reference
The codebase already contains proper credential masking implementations that should be followed:
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java
Line 55 in 15c2e50
cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java
Line 60 in 15c2e50
Recommended Fix
******or[REDACTED])Example Fix Pattern
Impact
References