YLChen-007 opened a new issue, #13311:
URL: https://github.com/apache/cloudstack/issues/13311
### Advisory Details
**Title**: Apache CloudStack `ApiServlet` logs duplicate sensitive query
parameter values in plaintext before authentication
**Description**:
### Summary
Apache CloudStack exposes a sensitive information disclosure issue in the
`/client/api` request entrypoint. When a request contains duplicate query
parameters, `com.cloud.api.ApiServlet` emits a WARN log stating that only the
last value will be respected. For sensitive parameters such as `password`, the
servlet formats the warning with `Arrays.toString(v)` and writes the raw values
to the log before authentication, request verification, or command dispatch
occurs. A remote caller can therefore cause plaintext credential material to be
recorded in management logs even when the HTTP request itself fails with `401
Unauthorized`.
### Details
The issue is in `server/src/main/java/com/cloud/api/ApiServlet.java`. Inside
`processRequestInContext`, CloudStack reads the servlet parameter map and
immediately passes it to `checkSingleQueryParameterValue(reqParams)`. That
helper logs duplicate values without masking sensitive keys.
```java
private void checkSingleQueryParameterValue(Map<String, String[]> params) {
params.forEach((k, v) -> {
if (v.length > 1) {
String message = String.format("Query parameter '%s' has
multiple values %s. Only the last value will be respected." +
"It is advised to pass only a single parameter", k,
Arrays.toString(v));
LOGGER.warn(message);
}
});
}
```
The vulnerable control flow is:
1. External caller reaches `/client/api` through Jetty.
2. `ApiServlet.processRequestInContext(...)` calls `req.getParameterMap()`.
3. `checkSingleQueryParameterValue(reqParams)` executes before
`verifyRequest(...)`.
4. `LOGGER.warn(...)` writes duplicate sensitive values in plaintext.
5. Only after that does the request continue into UTF-8 fixup,
authentication, and API dispatch.
This is why the issue is reachable from an external network client without
valid credentials. In the manual and automated verification environment, the
request returned `401`, but the warning log still contained both password
values.
The servlet is the standard API front door defined in
`client/src/main/webapp/WEB-INF/web.xml`:
```xml
<servlet>
<servlet-name>apiServlet</servlet-name>
<servlet-class>com.cloud.api.ApiServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>apiServlet</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
```
### PoC
#### Prerequisites
- A checkout of Apache CloudStack on the affected branch or release.
- Java, Maven, and Python 3 installed locally.
- Network access to fetch Maven dependencies.
- The PoC uses a minimal Jetty harness because a full current-branch
management-server E2E startup was not stable in this lab. The vulnerable code
path itself is the real `ApiServlet` from the target project.
#### Reproduction Steps
1. Download the harness launcher from:
[start_harness.sh](https://gist.github.com/YLChen-007/3f72b3b782f801c962f85131131c33fc)
2. Download the minimal servlet harness from:
[ApiServletHarnessServer.java](https://gist.github.com/YLChen-007/911719873d1971e07abaf1cd36e53878)
3. Download the Log4j harness config from:
[log4j2-harness.xml](https://gist.github.com/YLChen-007/983e67bf057554fc92f87fc4a59c96d8)
4. Download the automation wrapper from:
[verification_test.py](https://gist.github.com/YLChen-007/545bad01b0931a4434453e53180aaafe)
5. Optionally download the control case from:
[control-normal_behavior.py](https://gist.github.com/YLChen-007/f1a14cba0f26748d94ad818570ec4ff4)
6. Place the files in one working directory with
`ApiServletHarnessServer.java` under `src/`.
7. Start the PoC harness:
`bash start_harness.sh --port 18085`
8. In another terminal, send a duplicate sensitive parameter request:
`curl -i
'http://127.0.0.1:18085/client/api?command=listCapabilities&response=json&password=MANUAL_SECRET_ONE&password=MANUAL_SECRET_TWO'`
9. Observe the harness console output. The request may return `401
Unauthorized`, but the server log will contain both password values in the WARN
line.
10. For an automated check, run:
`python3 verification_test.py`
### Log of Evidence
Manual trigger evidence captured during verification:
```text
HTTP/1.1 401 Unauthorized
...
{"error":"stubbed after duplicate-parameter check"}
WARN com.cloud.api.ApiServlet - Query parameter 'password' has multiple
values [MANUAL_SECRET_ONE, MANUAL_SECRET_TWO]. Only the last value will be
respected.It is advised to pass only a single parameter
```
Automated verification evidence:
```text
[MODE] Integration-Test
[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter
'password' has multiple values [EXP_SECRET_ALPHA_8852, EXP_SECRET_BETA_8852].
Only the last value will be respected.It is advised to pass only a single
parameter
[OBSERVED_LEAK_ALPHA] True
[OBSERVED_LEAK_BETA] True
[CLASSIFICATION] DEFECT-CONFIRMED-WITH-LIMITATIONS
```
Control evidence:
```text
[MODE] Integration-Test Control
[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter
'username' has multiple values [CONTROL_USER_ALPHA_8852,
CONTROL_USER_BETA_8852]. Only the last value will be respected.It is advised to
pass only a single parameter
[OBSERVED_PASSWORD_SECRET] False
[CONTROL] SUCCESS
```
### Impact
This is an information disclosure vulnerability in the API control plane.
Any actor who can send requests to `/client/api` can force plaintext sensitive
values into management logs simply by repeating a sensitive parameter name. The
immediate impact is credential leakage to anyone with access to local logs,
centralized log collection, support bundles, or backups. Depending on the
leaked parameter, this can expose administrator passwords, API secrets, session
tokens, or other credentials that can later be reused against CloudStack.
### Affected products
- **Ecosystem**: maven
- **Package name**: org.apache.cloudstack:cloudstack
- **Affected versions**: <= 4.22.1.0
- **Patched versions**: <None>
### Severity
- **Severity**: Medium
- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
### Weaknesses
- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized
Actor
### Occurrences
| Permalink | Description |
| :--- | :--- |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L199-L204](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L199-L204)
| `checkSingleQueryParameterValue` formats duplicate query parameter values
with `Arrays.toString(v)` and writes them directly with `LOGGER.warn(...)`
without any sensitive-key masking. |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L229-L230](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L229-L230)
| `processRequestInContext` invokes the duplicate-parameter warning path
immediately after `req.getParameterMap()`, before authentication and request
verification. |
|
[https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/webapp/WEB-INF/web.xml#L45-L60](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/webapp/WEB-INF/web.xml#L45-L60)
| The standard `/client/api` servlet mapping shows this vulnerable code is on
the default external HTTP API path. |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
