[I] S3 credentials leak in log files [cloudstack]

Thu, 06 Feb 2025 08:51:33 -0800 


namsral opened a new issue, #10339:
URL: https://github.com/apache/cloudstack/issues/10339

   ### problem
   
   The S3 credentials used to create a Secondary Storage instance are leaked to 
the following files:
   
   - /var/log/cloudstack/management/access.log
   - /var/log/cloudstack/management/management-server.log
   
   Although the debug mode is enabled, I don't recommend logging secrets like 
S3 credentials.
   
   Example entry containing the S3 credentials (sensitive information is 
redacted):
   
   ```
   2025-02-06 15:50:37,093 DEBUG [o.a.c.s.r.NfsSecondaryStorageResource] 
(pool-15-thread-1:[ctx-5601ecaa]) (logid:e97c1c85) Executing command 
"DownloadCommand" [
     {
       "hvm": false,
       "description": "SystemVM Template (KVM)",
       "checksum": "6bb8edf3c062ed5625a3a8f17b3eedc9",
       "maxDownloadSizeInBytes": 53687091200,
       "id": 3,
       "resourceType": "TEMPLATE",
       "installPath": "template/tmpl/1/3/routing-3",
       "_store": {
         "id": 2,
         "uuid": "0f1bd354-0dc3-4e65-a370-6b02acec0735",
         "accessKey": "<redacted>",
         "secretKey": "<redacted>",
         "endPoint": "http://<redaced>",
         "bucketName": "cloudstack",
         "httpsFlag": false,
         "created": "Feb 6, 2025, 3:50:27 PM",
         "enableRRS": false,
         "maxSingleUploadSizeInBytes": 5368709120
       },
       "followRedirects": false,
       "url": 
"https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.0-x86_64-kvm.qcow2.bz2";,
       "format": "QCOW2",
       "accountId": 1,
       "name": "routing-3",
       "contextMap": {},
       "wait": 0,
       "bypassHostMaintenance": false
     }
   ]
   ```
   
   
   ### versions
   
   CloudStack: 4.20.0.0
   Hypervisor: KVM
   Secondary Storage: Ceph RGW S3
   Distro: Ubuntu 22.04 LTS
   
   ### The steps to reproduce the bug
   
   1. Deploy CloudStack Management server version 4.20.0.0
   2. Create a Secondary Storage using S3 credentials (accessKey and secretKey)
   3. Grep the log file directory for the secret key: `grep <secretKey> -R 
/var/log/cloudstack/management/{access,management-server}.log`
   
   
   ### What to do about it?
   
   Redact at least the secretKey from the log entry.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to