YLChen-007 opened a new issue, #13303:
URL: https://github.com/apache/cloudstack/issues/13303
### Advisory Details
**Title**: Sensitive Credential Exposure via Parameter Map Serialization in
Physical/Virtual Resource Configurations
**Description**:
Apache CloudStack is vulnerable to plaintext credential exposure when
registering and configuring external network element providers (such as VMware
NSX, Netris, or BigSwitch BCF) and hypervisors (such as Oracle OVM3). During
configuration initialization (`configure` method), the resource managers check
for the existence of mandatory properties (like `port` or `url`). If a required
parameter is missing or connection fails, the resource managers throw a
`ConfigurationException` that stringifies the entire unmasked configuration
parameters map (`params`), which contains the cleartext administrator or agent
password.
This exception is captured by the outer Management Server framework and is
both directly returned to the calling client in the JSON HTTP REST API error
response (`errortext` field) and logged as cleartext in system logs
(`management-server.log`). In addition, `Ovm3HypervisorResource` prints the raw
parameter map in debug mode, causing credentials to be persistently stored in
the logging system.
---
### Summary
An information exposure vulnerability in Apache CloudStack allows
authenticated administrators or network operators to leak and obtain highly
privileged plaintext credentials of underlying network elements (VMware NSX,
Netris, BigSwitch) and hypervisor agents (OVM3). By submitting a resource
configuration request that deliberately omits a required parameter, the
platform's exception handling stringifies the entire configuration map,
revealing the plaintext password in HTTP REST API error responses and system
logs.
---
### Details
In Apache CloudStack, administrators configure external infrastructure by
invoking REST API commands like `addNsxController`, `addHost`, and
`addNetrisDevice`. The framework passes these parameters in a unified `params`
Map (`Map<String, Object>`) to the corresponding backend `ServerResource`
component.
Four resource managers fail to properly mask or exclude the raw parameter
map when raising exceptions or logging:
1. **`NsxResource.java`** (Lines 186–205)
When checking mandatory parameters (e.g. `port`, `username`, `password`),
if a check fails, the resource manager stringifies `params` in the exception
message:
```java
port = (String) params.get("port");
if (port == null) {
throw new ConfigurationException("Missing NSX port from params: " +
params);
}
```
Since `params` contains the cleartext `"password"` field, it is converted
to string and returned in the Exception message.
2. **`NetrisResource.java`** (Lines 190–204)
Similarly leaks cleartext credentials in Netris element configurations:
```java
endpointUrl = (String) params.get("url");
if (endpointUrl == null) {
throw new ConfigurationException("Missing Netris provider URL from
params: " + params);
}
```
3. **`BigSwitchBcfResource.java`** (Lines 106–124)
Leaks credentials in BigSwitch BCF configuration error messages:
```java
String hostname = (String)params.get("hostname");
if (hostname == null) {
throw new ConfigurationException("Missing host name from params: " +
params);
}
```
4. **`Ovm3HypervisorResource.java`** (Line 308)
Logs the complete parameter map including unmasked OVS agent passwords in
debug logging:
```java
@Override
public boolean configure(String name, Map<String, Object> params) throws
ConfigurationException {
logger.debug("configure " + name + " with params: " + params);
```
---
### PoC
#### Prerequisites
* Python 3.x with the `requests` library installed.
* CloudStack Management Server administrative API access (or a simulated
test environment).
#### Reproduction Steps
To reproduce the credential leakage safely and reliably without a full
multi-gigabyte Apache CloudStack cluster setup, we use the local mock
verification script which simulates the backend resource validation logic:
1. Download the isolated environment setup from:
[docker-compose.yml](https://gist.github.com/YLChen-007/890b90176cdcdc1110f91894feda19e5)
2. Download the Vulnerability Verification PoC script from:
[verification_test_Issue-cloudstack-11985-ResourceParams.py](https://gist.github.com/YLChen-007/bdd4c812681c958cb3089fe9e88c3e07)
3. Download the Control Group Verification script from:
[control-masked_exception.py](https://gist.github.com/YLChen-007/49f9ce71c53e1d1acc03e4d4a13be6c6)
4. Execute the verification test to demonstrate the plaintext password
leakage:
```bash
python3 verification_test_Issue-cloudstack-11985-ResourceParams.py
```
5. Execute the control test to confirm that a secured backend correctly
masks or omits the parameter map:
```bash
python3 control-masked_exception.py
```
---
### Log of Evidence
Upon executing the verification test
(`verification_test_Issue-cloudstack-11985-ResourceParams.py`), the following
runtime console output confirms the defect by capturing the cleartext password
`HighlySensitiveResourcePassword123!` directly in the error response payload:
```
[*] Starting Local Vulnerability Mock Server...
[*] Running Issue-cloudstack-11985 ResourceParams Credential Leakage
Integration Test...
[*] Dispatching addNsxController command with sensitive password:
HighlySensitiveResourcePassword123!
[*] Response Status Code: 530
[*] Response Payload: {'addnsxcontrollerresponse': {'errorcode': 530,
'errortext': "com.cloud.utils.exception.CloudRuntimeException:
javax.naming.ConfigurationException: Missing NSX port from params: {'name':
'mock-nsx-provider', 'hostname': '192.168.1.100', 'username': 'admin',
'password': 'HighlySensitiveResourcePassword123!', 'tier0gateway': 'T0-GW',
'edgecluster': 'Edge-Cluster', 'transportzone': 'TZ-Overlay', 'zoneid':
'00000000-0000-0000-0000-000000000000', 'command': 'addNsxController',
'apiKey': 'ADMIN_API_KEY_PLACEHOLDER', 'response': 'json', 'signature':
'ud2x93R63p7cIk/kdPJt1+3lyv8='}"}}
[DEFECT CONFIRMED] Plaintext password leaked in the API error response!
```
---
### Impact
* **Vulnerability Type**: Information Exposure / Plaintext Credential
Leakage (CWE-209 / CWE-532)
* **Assets Compromised**: High-privilege control-plane infrastructure
credentials (including VMware NSX, Netris switches, BigSwitch BCF, and OVM3
hypervisors).
* **Consequences**: An attacker or operator with device configuration
permissions can retrieve the raw plaintext credentials of core SD-WAN
controllers and network switches, enabling them to alter overlay network
topologies, capture data plane traffic, or bypass boundary controls. In the
case of OVM3, leaking agent credentials yields root SSH access on physical
hypervisors. Furthermore, the persistent log logging violates standard PCI-DSS
and security audit compliance controls.
---
### Affected products
- **Ecosystem**: maven
- **Package name**: org.apache.cloudstack:cloudstack
- **Affected versions**: <= 4.22.1.0
- **Patched versions**: <None>
---
### Severity
- **Severity**: High
- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
---
### Weaknesses
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-532**: Insertion of Sensitive Information into Log File
---
### Occurrences
| Permalink | Description |
| :--- | :--- |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205)
| Vulnerable parameter map stringification inside NsxResource configuration
validation exceptions. |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204)
| Vulnerable parameter map stringification inside NetrisResource configuration
validation exceptions. |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124)
| Vulnerable parameter map stringification inside BigSwitchBcfResource
configuration validation exceptions. |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308)
| Plaintext logging of the parameters map containing passwords inside
Ovm3HypervisorResource configuration debug statements. |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
