[I] Sensitive Data Exposure Through Exception Logging in OVM Hypervisor Configuration [cloudstack]

[via GitHub]

YLChen-007 opened a new issue, #12031:
URL: https://github.com/apache/cloudstack/issues/12031

   ## Description
   
   We have identified a security vulnerability where sensitive credentials 
(passwords) are exposed through application logs during OVM (Oracle VM) 
hypervisor server configuration. The password is embedded in an exception 
message and subsequently logged when the exception is caught.
   
   ## Data Flow
   
   ### 1. Exception Thrown with Password in Message
   
   In `com.cloud.ovm.hypervisor.OvmResourceBase.setupServer`, when an SSH 
connection fails, a `CloudRuntimeException` is thrown with the password 
included in the error message:
   
   ```java
   // com.cloud.ovm.hypervisor.OvmResourceBase.setupServer()
   protected void setupServer() throws IOException {
           ...
           if (sshConnection == null) {
               throw new CloudRuntimeException(String.format("Cannot connect to 
ovm host(IP=%1$s, username=%2$s, password=%3$s", 
                   _ip, _username, _password));  // ← Password embedded in 
exception message
           }
          ...
       }
   ```
   
   ### 2. Exception Logged with Sensitive Data
   
   In `com.cloud.ovm.hypervisor.OvmResourceBase.configure`, the exception is 
caught and logged at DEBUG level, which causes the password to be written to 
the application logs:
   
   ```java
   // com.cloud.ovm.hypervisor.OvmResourceBase.configure(String name, 
Map<String, Object> params)
       try {
               setupServer();
           } catch (Exception e) {
               logger.debug("Setup server failed, ip " + _ip, e);  // ← 
Exception with password logged here
               throw new ConfigurationException("Unable to setup server");
           }
   ```
   
   ## Vulnerability Analysis
   
   The vulnerability chain consists of:
   
   1. **Password in Exception Message**: The `setupServer()` method constructs 
an exception message that includes the plaintext password used for SSH 
authentication
   2. **Exception Propagation**: The exception is thrown and caught by the 
calling method
   3. **Debug Logging**: The caught exception (including its message containing 
the password) is logged at DEBUG level
   4. **Log Persistence**: The password is permanently written to log files 
where it can be accessed by unauthorized parties
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@cloudstack.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org