[Security] Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`)

[YLChen-007]

Advisory Details

Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus)

Description:
In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing templates) is executed under the asynchronous job framework (cloud-framework-jobs). During execution, progress or status updates are processed and logged by the management server via AsyncJobManagerImpl.updateAsyncJobStatus.

While the developers previously patched a sensitive password leak in the job completion logger (completeAsyncJob), they completely missed updateAsyncJobStatus. Specifically, in AsyncJobManagerImpl.java, progress/status updates were directly logged in plain text when DEBUG logging was enabled:

    @Override
    @DB
    public void updateAsyncJobStatus(final long jobId, final int processStatus, final String resultObject) {
        if (logger.isDebugEnabled()) {
            logger.debug("Update async-job progress, job-" + jobId + ", processStatus: " + processStatus + ", result: " + resultObject);
        }

If an asynchronous operation reports progress containing a serialized command response, database configuration, or credentials (such as standard fields containing "password"), these raw, unmasked secrets will leak directly into the management server log files.

---

Summary

An information exposure vulnerability exists in Apache CloudStack's asynchronous job execution framework (cloud-framework-jobs). When DEBUG level logging is enabled on the management server, intermediate status/progress updates containing raw, unmasked sensitive credentials (such as standard "password" fields) are printed in plain text directly to the system log via AsyncJobManagerImpl.updateAsyncJobStatus. This bypasses existing password obfuscation mechanisms implemented in other parts of the job framework.

---

Details

During asynchronous job execution, progress updates are logged via AsyncJobManagerImpl.updateAsyncJobStatus. Unlike AsyncJobManagerImpl.completeAsyncJob, which properly obfuscates user passwords using convertHumanReadableJson(obfuscatePassword(resultObject, HidePassword.value())), updateAsyncJobStatus directly outputs resultObject to the logger without any filtering or sanitization. Consequently, any JSON payload containing sensitive fields such as "password" or database configurations with credentials is written in plain text to log files, exposing them to any user or internal service with log access.

---

PoC

Prerequisites

• A standard Java and Maven build environment.
• The org.apache.cloudstack:cloud-framework-jobs module compiled.
• Logging level for org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl configured to DEBUG.

Reproduction Steps

1. Download the Docker Environment Configuration file: docker-compose.yml
2. Download the Replication Test Automation script: verification_test_Issue-cloudstack-8854.py
3. Download the Control Group Test script: control-obfuscation_check.py
4. Execute the replication script from the root of the workspace to build the module, run the regression test, and witness the plain text leak:

   python3 verification_test_Issue-cloudstack-8854.py

5. Execute the control group script to verify that the password obfuscation logic functions correctly under normal conditions:

   python3 control-obfuscation_check.py

---

Log of Evidence

23:13:05.397 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - Update async-job progress, job-1, processStatus: 1, result: {"password":"mysecretpassword","other":"field"}
23:13:05.402 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - job-1 no longer exists, we just log progress info here. progress status: 1
Captured Writer Log Output:
Update async-job progress, job-1, processStatus: 1, result: {"password":"mysecretpassword","other":"field"}job-1 no longer exists, we just log progress info here. progress status: 1
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.185 s <<< FAILURE! - in org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest
[ERROR] testUpdateAsyncJobStatusObfuscation(org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest)  Time elapsed: 0.754 s  <<< FAILURE!
java.lang.AssertionError: Vulnerability Triggered: plaintext password leaked!
        at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest.testUpdateAsyncJobStatusObfuscation(AsyncJobManagerImplTest.java:118)

---

Impact

• Vulnerability Type: Information Exposure / Log Injection of Sensitive Credentials
• Asset Compromise: High. Exposing administrator and virtual machine passwords or other private API keys inside standard log files allows local attackers, internal users, or compromised log ingestion pipelines (ELK, Splunk) to gain complete access to hypervisors, OOB/IPMI consoles, and private cloud infrastructure.

---

Affected products

• Ecosystem: maven
• Package name: org.apache.cloudstack:cloud-framework-jobs
• Affected versions: <= 4.22.1.0 (commit: 348ce953a99246a756b527994f7745a7be038234)
• Patched versions:

---

Severity

• Severity: High
• Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

---

Weaknesses

• CWE: CWE-532: Insertion of Sensitive Information into Log File

---

Occurrences

Permalink	Description
cloudstack/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java Lines 438 to 442 in 348ce95 public void updateAsyncJobStatus(final long jobId, final int processStatus, final String resultObject) { if (logger.isDebugEnabled()) { logger.debug("Update async-job progress, job-" + jobId + ", processStatus: " + processStatus + ", result: " + resultObject); }	The vulnerable logging statement inside updateAsyncJobStatus method that prints raw progress results containing plain text passwords without any obfuscation filter.