[I] Password Exposure in IPMI Tool Command Execution [cloudstack]

Sat, 08 Nov 2025 00:03:41 -0800 


YLChen-007 opened a new issue, #12027:
URL: https://github.com/apache/cloudstack/issues/12027

   ## Summary
   
   A security vulnerability has been identified in the Apache CloudStack 
Out-of-Band Management IPMI tool driver where plaintext passwords are logged 
when trace-level logging is enabled. The password passed via 
`cmd.getNewPassword()` is included in the command arguments and subsequently 
exposed through debug logging.
   
   ## Vulnerability Details
   
   **Component:** 
`org.apache.cloudstack.outofbandmanagement.driver.ipmitool.IpmitoolOutOfBandManagementDriver`
   
   **Vulnerability Type:** Sensitive Information Disclosure / Password Exposure 
in Logs
   
   **Severity:** Medium to High (depending on logging configuration and log 
access controls)
   
   ## Technical Description
   
   In the `execute(OutOfBandManagementDriverChangePasswordCommand cmd)` method, 
the new password is passed directly to the IPMI tool command arguments:
   
   ```java
   final List<String> ipmiToolCommands = 
IPMITOOL.getIpmiToolCommandArgs(IpmiToolPath.value(),
           IpmiToolInterface.value(), IpmiToolRetries.value(),
           cmd.getOptions(), "user", "set", "password", 
outOfBandManagementUserId, cmd.getNewPassword());
   
   return IPMITOOL.executeCommands(ipmiToolCommands, cmd.getTimeout())
   
   //OutOfBandManagementDriverResponse 
org.apache.cloudstack.outofbandmanagement.driver.ipmitool.IpmitoolWrapper.executeCommands(List<String>
 commands, Duration timeOut)
   public OutOfBandManagementDriverResponse executeCommands(final List<String> 
commands, final Duration timeOut) {
        final ProcessResult result = RUNNER.executeCommands(commands, timeOut);
        ...
   }
   ```
   
   These commands are finally passed to 
`org.apache.cloudstack.utils.process.ProcessRunner.executeCommands(List<String> 
commands, Duration timeOut)`, which logs the complete command string without 
improper sanitization when debug logging is enabled:
   
   ```java
     String commandLog = 
removeCommandSensitiveInfoForLogging(StringUtils.join(commands, " "));
     logger.debug("Preparing command [{}] to execute.", commandLog);
     final Process process = new ProcessBuilder().command(commands).start();
   
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to