Description:

Summary

Multiple instances of credential leakage vulnerabilities have been identified in the codebase where sensitive information (passwords, database credentials, authentication tokens) are being logged directly or exposed through exception messages.

Severity

High - Credentials exposed in logs can be accessed by unauthorized users with log file access, potentially leading to system compromise.

Vulnerability Details

1. Direct Logging of Credentials

The following locations directly log sensitive credentials:

• UriUtils.java (Line 504)

  • cloudstack/utils/src/main/java/com/cloud/utils/UriUtils.java

    Line 504 in 15c2e50

    LOGGER.info("Added username=" + user + ", password=" + password + "for host " + hostAndPort.first() + ":" + hostAndPort.second());

  • Issue: Logs URI containing credentials

• HttpTemplateDownloader.java (Line 154)

  • cloudstack/core/src/main/java/com/cloud/storage/template/HttpTemplateDownloader.java

    Line 154 in 15c2e50

    logger.info("Added username=" + user + ", password=" + password + "for host " + hostAndPort.first() + ":" + hostAndPort.second());

  • Issue: Logs HTTP authentication credentials

• BaremetalDnsmasqResource.java (Line 49)

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalDnsmasqResource.java

    Line 49 in 15c2e50

    logger.debug(String.format("Trying to connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s)", _ip, _username, _password));

  • Issue: Logs baremetal service credentials

• DatabaseCreator.java (Line 102)

  • cloudstack/engine/schema/src/main/java/com/cloud/upgrade/DatabaseCreator.java

    Line 102 in 15c2e50

    System.out.println(String.format("========> Initializing database=%s with host=%s port=%s username=%s password=%s", dbName, host, port, username, password));

  • Issue: Logs database password

2. Credential Exposure through Exception Messages

The following locations expose credentials through exception handling:

• BaremetalDnsmasqResource.java (Line 52)

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalDnsmasqResource.java

    Line 52 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to DHCP server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

• BaremetalKickStartPxeResource.java (Lines 134, 170)

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java

    Line 134 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java

    Line 170 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

• BaremetalPingPxeResource.java (Lines 154, 182, 240)

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java

    Line 154 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java

    Line 182 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

  • cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java

    Line 240 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to PING PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, _password));

• ConsoleProxyResource.java (Line 334)

  • cloudstack/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java

    Line 334 in 15c2e50

    logger.info("Running com.cloud.consoleproxy.ConsoleProxy with encryptor password={}", encryptorPassword);

Correct Implementation Reference

The codebase already contains proper credential masking implementations that should be followed:

• BaremetalKickStartPxeResource.java (Lines 55, 60)
  • Line 55:

    cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java

    Line 55 in 15c2e50

    logger.debug(String.format("Trying to connect to kickstart PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));

  • Line 60:

    cloudstack/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalKickStartPxeResource.java

    Line 60 in 15c2e50

    throw new ConfigurationException(String.format("Cannot connect to kickstart PXE server(IP=%1$s, username=%2$s, password=%3$s", _ip, _username, "******"));

  • These lines demonstrate proper password masking before logging

Recommended Fix

1. Mask credentials before logging: Replace actual passwords/credentials with masked values (e.g., ****** or [REDACTED])
2. Sanitize exception messages: Ensure exception messages don't contain sensitive data before throwing
3. Use utility methods: Create/use existing utility methods for credential masking consistently across the codebase
4. Code review: Audit all logging statements for potential credential exposure

Example Fix Pattern

// Before (vulnerable)
logger.debug("Connecting with password: " + password);

// After (secure)
logger.debug("Connecting with password: ******");

Impact

• Credentials in log files can be accessed by system administrators, log aggregation systems, or attackers who gain log file access
• Violates security best practices and compliance requirements (PCI-DSS, GDPR, etc.)
• Increases attack surface for credential theft

References

• CWE-532: Insertion of Sensitive Information into Log File
• OWASP Logging Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html