YLChen-007 opened a new issue, #13301: URL: https://github.com/apache/cloudstack/issues/13301
### Advisory Details **Title**: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) **Description**: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing templates) is executed under the asynchronous job framework (`cloud-framework-jobs`). During execution, progress or status updates are processed and logged by the management server via `AsyncJobManagerImpl.updateAsyncJobStatus`. While the developers previously patched a sensitive password leak in the job completion logger (`completeAsyncJob`), they completely missed `updateAsyncJobStatus`. Specifically, in [AsyncJobManagerImpl.java](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442), progress/status updates were directly logged in plain text when `DEBUG` logging was enabled: ```java @Override @DB public void updateAsyncJobStatus(final long jobId, final int processStatus, final String resultObject) { if (logger.isDebugEnabled()) { logger.debug("Update async-job progress, job-" + jobId + ", processStatus: " + processStatus + ", result: " + resultObject); } ``` If an asynchronous operation reports progress containing a serialized command response, database configuration, or credentials (such as standard fields containing `"password"`), these raw, unmasked secrets will leak directly into the management server log files. --- ### Summary An information exposure vulnerability exists in Apache CloudStack's asynchronous job execution framework (`cloud-framework-jobs`). When `DEBUG` level logging is enabled on the management server, intermediate status/progress updates containing raw, unmasked sensitive credentials (such as standard `"password"` fields) are printed in plain text directly to the system log via `AsyncJobManagerImpl.updateAsyncJobStatus`. This bypasses existing password obfuscation mechanisms implemented in other parts of the job framework. --- ### Details During asynchronous job execution, progress updates are logged via `AsyncJobManagerImpl.updateAsyncJobStatus`. Unlike `AsyncJobManagerImpl.completeAsyncJob`, which properly obfuscates user passwords using `convertHumanReadableJson(obfuscatePassword(resultObject, HidePassword.value()))`, `updateAsyncJobStatus` directly outputs `resultObject` to the logger without any filtering or sanitization. Consequently, any JSON payload containing sensitive fields such as `"password"` or database configurations with credentials is written in plain text to log files, exposing them to any user or internal service with log access. --- ### PoC #### Prerequisites - A standard Java and Maven build environment. - The `org.apache.cloudstack:cloud-framework-jobs` module compiled. - Logging level for `org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl` configured to `DEBUG`. #### Reproduction Steps 1. Download the Docker Environment Configuration file: [docker-compose.yml](https://gist.github.com/YLChen-007/e804cb11fb975c6d23a81fc8d6b95c0f) 2. Download the Replication Test Automation script: [verification_test_Issue-cloudstack-8854.py](https://gist.github.com/YLChen-007/685a0d477c87272d11ccb5cab2fe2d2a) 3. Download the Control Group Test script: [control-obfuscation_check.py](https://gist.github.com/YLChen-007/41c50a13a5beec322cc672a014eee7f4) 4. Execute the replication script from the root of the workspace to build the module, run the regression test, and witness the plain text leak: ```bash python3 verification_test_Issue-cloudstack-8854.py ``` 5. Execute the control group script to verify that the password obfuscation logic functions correctly under normal conditions: ```bash python3 control-obfuscation_check.py ``` --- ### Log of Evidence ```text 23:13:05.397 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - Update async-job progress, job-1, processStatus: 1, result: {"password":"mysecretpassword","other":"field"} 23:13:05.402 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - job-1 no longer exists, we just log progress info here. progress status: 1 Captured Writer Log Output: Update async-job progress, job-1, processStatus: 1, result: {"password":"mysecretpassword","other":"field"}job-1 no longer exists, we just log progress info here. progress status: 1 [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.185 s <<< FAILURE! - in org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest [ERROR] testUpdateAsyncJobStatusObfuscation(org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest) Time elapsed: 0.754 s <<< FAILURE! java.lang.AssertionError: Vulnerability Triggered: plaintext password leaked! at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest.testUpdateAsyncJobStatusObfuscation(AsyncJobManagerImplTest.java:118) ``` --- ### Impact - **Vulnerability Type**: Information Exposure / Log Injection of Sensitive Credentials - **Asset Compromise**: High. Exposing administrator and virtual machine passwords or other private API keys inside standard log files allows local attackers, internal users, or compromised log ingestion pipelines (ELK, Splunk) to gain complete access to hypervisors, OOB/IPMI consoles, and private cloud infrastructure. --- ### Affected products - **Ecosystem**: maven - **Package name**: org.apache.cloudstack:cloud-framework-jobs - **Affected versions**: <= 4.22.1.0 (commit: `348ce953a99246a756b527994f7745a7be038234`) - **Patched versions**: <None> --- ### Severity - **Severity**: High - **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N --- ### Weaknesses - **CWE**: CWE-532: Insertion of Sensitive Information into Log File --- ### Occurrences | Permalink | Description | | :--- | :--- | | [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442) | The vulnerable logging statement inside `updateAsyncJobStatus` method that prints raw progress results containing plain text passwords without any obfuscation filter. | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
