YLChen-007 opened a new issue, #12030:
URL: https://github.com/apache/cloudstack/issues/12030
## Description
We have identified a security vulnerability where sensitive data (user-data
and public-keys) is exposed through application logs during the execution of
`VmDataCommand`.
## Data Flow
### 1. Sensitive Data Injection
In `com.cloud.network.router.CommandSetupHelper.generateVmDataCommand`,
sensitive information including user data and public keys is added to the
`VmDataCommand`:
```java
// com.cloud.network.router.CommandSetupHelper.generateVmDataCommand
private VmDataCommand generateVmDataCommand(final VirtualRouter router,
final String vmPrivateIpAddress, final String userData, String userDataDetails,
final String serviceOffering,
final String zoneName, final
String publicIpAddress, final String vmName, final String vmInstanceName, final
long vmId, final String vmUuid, final String publicKey,
final long guestNetworkId,
String hostname) {
final VmDataCommand cmd = new VmDataCommand(vmPrivateIpAddress,
vmName, _networkModel.getExecuteInSeqNtwkElmtCmd());
...
cmd.addVmData("userdata", "user-data", userData);
...
cmd.addVmData("metadata", "public-keys", publicKey);
```
### 2. Script Construction with Sensitive Data
In
`com.cloud.baremetal.networkservice.BaremetalKickStartPxeResource.execute`, the
VM data containing sensitive information is retrieved and embedded into a shell
script command:
```java
//com.cloud.baremetal.networkservice.BaremetalKickStartPxeResource.execute
private Answer execute(VmDataCommand cmd) {
com.trilead.ssh2.Connection sshConnection = new
com.trilead.ssh2.Connection(_ip, 22);
try {
List<String[]> vmData = cmd.getVmData();
StringBuilder sb = new StringBuilder();
for (String[] data : vmData) {
String folder = data[0];
String file = data[1];
String contents = (data[2] == null) ? "none" : data[2];
sb.append(cmd.getVmIpAddress());
sb.append(",");
sb.append(folder);
sb.append(",");
sb.append(file);
sb.append(",");
sb.append(contents); // Sensitive data included here
sb.append(";");
}
String arg = StringUtils.stripEnd(sb.toString(), ";");
String script = String.format("python
/usr/bin/baremetal_user_data.py '%s'", arg);
if (!SSHCmdHelper.sshExecuteCmd(sshConnection, script)) {
return new Answer(cmd, false, "Failed to add user data,
command:" + script);
}
```
### 3. Sensitive Data Logged
Finally, in `com.cloud.utils.ssh.SSHCmdHelper.sshExecuteCmdOneShot`, the
constructed script containing sensitive data is logged at DEBUG level:
```java
// com.cloud.utils.ssh.SSHCmdHelper.sshExecuteCmdOneShot
public static SSHCmdResult sshExecuteCmdOneShot(com.trilead.ssh2.Connection
sshConnection, String cmd) throws SshException {
LOGGER.debug("Executing cmd: " +
cmd.split(KeyStoreUtils.KS_FILENAME)[0]); // ← Sensitive data logged here
Session sshSession = null;
try {
sshSession = sshConnection.openSession();
Thread.sleep(1000);
if (sshSession == null) {
throw new SshException("Cannot open ssh session");
}
// ... execution continues
}
...
if (!StringUtils.isAllEmpty(result.getStdOut(), result.getStdErr())) {
LOGGER.debug("SSH command: " +
cmd.split(KeyStoreUtils.KS_FILENAME)[0] + "\nSSH command output:" +
result.getStdOut().split("-----BEGIN")[0] + "\n" + result.getStdErr()); // ←
Sensitive data logged here again
}
}
```
## Security Impact
This vulnerability results in sensitive information being written to
application logs, including:
- **User-data**: May contain passwords, API keys, configuration secrets, or
other confidential initialization data
- **Public keys**: SSH public keys that could be used for reconnaissance or
social engineering attacks
When debug logging is enabled, this sensitive data becomes accessible to
anyone with access to the log files, potentially including:
- System administrators
- Log aggregation systems
- Backup systems
- Attackers who gain unauthorized access to log storage
This constitutes a violation of security best practices and may lead to
unauthorized access or information disclosure.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
