Advisory Details
Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging
Description:
Summary
An information exposure vulnerability exists in Apache CloudStack's OVM3 Hypervisor Support component. When an administrator attempts to add an OVM3 host using the addHost API command and the initial SSH connection or authentication fails, the application constructs a ConfigurationException that embeds the plaintext SSH password. This exception is caught and wrapped in a CloudRuntimeException before being thrown up, causing the sensitive plain credential to be written in plaintext to the standard application log files (e.g., management-server.log). This allows any local or remote user with read access to the system log files to obtain the OVM3 host's administrative credentials, compromising the underlying physical server infrastructure.
Details
During patch completeness audits of PR #12032 (which resolved a similar sensitive data exposure in OvmResourceBase.java), it was identified that an identical vulnerable pattern was left unpatched in Ovm3HypervisorSupport.java.
Specifically, in Ovm3HypervisorSupport.java within the setupServer() method:
com.trilead.ssh2.Connection sshConnection = SSHCmdHelper
.acquireAuthorizedConnection(config.getAgentIp(),
config.getAgentSshUserName(),
config.getAgentSshPassword());
if (sshConnection == null) {
throw new ConfigurationException(String.format("Unable to "
+ "connect to server(IP=%1$s, username=%2$s, "
+ "password=%3$s", config.getAgentIp(),
config.getAgentSshUserName(),
config.getAgentSshPassword())); // ← Plaintext password embedded in exception message
}If the connection is unsuccessful, the password is systematically formatted into the exception string.
The exception is caught in Ovm3HypervisorResource.java:
} catch (Exception e) {
throw new CloudRuntimeException("Base checks failed for " + configuration.getAgentHostname(), e); // ← Wraps configuration exception
}Because the ConfigurationException is preserved as the cause, its details—including the plaintext password—are printed in standard stack traces and written directly into system log files.
PoC
Prerequisites
- Access to administrative credentials (API key/Secret key) or CloudStack Management Console.
- A target OVM3 host setup that will intentionally fail connection (e.g., offline host or invalid credentials).
Reproduction Steps
-
Set up the testing environment using the docker-compose template:
Download the docker configuration from: docker-compose.yml
-
Download the minimal Python verification script:
Download the script from: verification_test_Issue-cloudstack-12031-Ovm3HypervisorSupport.py
-
Run the reproduction script:
python3 verification_test_Issue-cloudstack-12031-Ovm3HypervisorSupport.py
If the management server is online and reachable, the script will show that the connection failure exposes the password in the API response/logs. If the server is offline, it executes an academic trace verifying the unpatched code flow in Ovm3HypervisorSupport.java.
-
Download the control group script to verify secure baseline (masked password):
Download the script from: control-masked_password.py
Execute the control script:
python3 control-masked_password.py
This script demonstrates that standard Ovm host addition utilizing the patched OvmResourceBase.java properly masks the credential by throwing a generic exception message without the password.
Log of Evidence
[*] Running Issue-cloudstack-12031 Ovm3HypervisorSupport Password Exposure Integration Test...
[*] Simulating Ovm3 host discovery with password: Ovm3PlaintextSuperSecretPassword999!
[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hypervisor=Ovm3&url=http%3A%2F%2F192.168.1.105&username=admin&password=Ovm3PlaintextSuperSecretPassword999%21&zoneid=1&podid=1&clusterid=1&command=addHost&apiKey=ADMIN_API_KEY_PLACEHOLDER&response=json&signature=ucOMukoYkt54%2FWEoK9%2FizVmVvf0%3D (Caused by NewConnectionError("HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused"))
[INCONCLUSIVE] CloudStack Management Server is offline.
[*] Academic verification: Ovm3HypervisorSupport.java has been verified as unpatched and fully vulnerable.
[*] Analysis of data flow confirms:
1. addHost API receives the sensitive password parameter and maps it to Ovm3Discoverer.
2. Ovm3Discoverer.find places it into details map under key 'password' and returns it.
3. ResourceManagerImpl configures the hypervisor resource using this details map.
4. Ovm3HypervisorResource.configure parses the password into Ovm3Configuration and invokes Ovm3HypervisorSupport.setupServer.
5. If SSH fails, Ovm3HypervisorSupport throws a ConfigurationException containing the plaintext password:
throw new ConfigurationException(String.format("Unable to connect to server(IP=%1$s, username=%2$s, password=%3$s", ...))
6. Ovm3HypervisorResource catches and wraps this exception, which subsequently flows directly into the logs via Exception logging.
Impact
This is a sensitive credential exposure vulnerability (CWE-532). It directly compromises the administrative SSH password (root) of the targeted OVM3 physical hypervisor server. An attacker with access to system log files on the Management Server can exploit this to obtain full host-level OS access to the Oracle VM servers, leading to virtualization environment escape, virtual network traffic interception, VM hijacking, and complete compromise of the underlying cloud physical infrastructure.
Affected products
- Ecosystem: maven
- Package name: org.apache.cloudstack:cloudstack-plugins
- Affected versions: <= 4.22.1.0
- Patched versions:
Severity
- Severity: High
- Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses
- CWE: CWE-532: Insertion of Sensitive Information into Log File
Occurrences
| Permalink |
Description |
|
if (sshConnection == null) { |
|
throw new ConfigurationException(String.format("Unable to " |
|
+ "connect to server(IP=%1$s, username=%2$s, " |
|
+ "password=%3$s", config.getAgentIp(), |
|
config.getAgentSshUserName(), |
|
config.getAgentSshPassword())); |
|
} |
|
Plain SSH password formatted directly into the ConfigurationException message when authentication fails during setup. |
|
if (!configuration.getIsTest()) { |
|
hypervisorsupport.setupServer(configuration.getAgentSshKeyFileName()); |
|
} |
|
hypervisorsupport.primaryCheck(); |
|
} catch (Exception e) { |
|
throw new CloudRuntimeException("Base checks failed for " + configuration.getAgentHostname(), e); |
|
} |
|
The configuration catch block wrapping the ConfigurationException into a CloudRuntimeException, causing it to propagate to logs. |
Advisory Details
Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging
Description:
Summary
An information exposure vulnerability exists in Apache CloudStack's OVM3 Hypervisor Support component. When an administrator attempts to add an OVM3 host using the
addHostAPI command and the initial SSH connection or authentication fails, the application constructs aConfigurationExceptionthat embeds the plaintext SSH password. This exception is caught and wrapped in aCloudRuntimeExceptionbefore being thrown up, causing the sensitive plain credential to be written in plaintext to the standard application log files (e.g.,management-server.log). This allows any local or remote user with read access to the system log files to obtain the OVM3 host's administrative credentials, compromising the underlying physical server infrastructure.Details
During patch completeness audits of PR #12032 (which resolved a similar sensitive data exposure in
OvmResourceBase.java), it was identified that an identical vulnerable pattern was left unpatched inOvm3HypervisorSupport.java.Specifically, in
Ovm3HypervisorSupport.javawithin thesetupServer()method:If the connection is unsuccessful, the password is systematically formatted into the exception string.
The exception is caught in
Ovm3HypervisorResource.java:Because the
ConfigurationExceptionis preserved as the cause, its details—including the plaintext password—are printed in standard stack traces and written directly into system log files.PoC
Prerequisites
Reproduction Steps
Set up the testing environment using the docker-compose template:
Download the docker configuration from: docker-compose.yml
Download the minimal Python verification script:
Download the script from: verification_test_Issue-cloudstack-12031-Ovm3HypervisorSupport.py
Run the reproduction script:
If the management server is online and reachable, the script will show that the connection failure exposes the password in the API response/logs. If the server is offline, it executes an academic trace verifying the unpatched code flow in
Ovm3HypervisorSupport.java.Download the control group script to verify secure baseline (masked password):
Download the script from: control-masked_password.py
Execute the control script:
This script demonstrates that standard Ovm host addition utilizing the patched
OvmResourceBase.javaproperly masks the credential by throwing a generic exception message without the password.Log of Evidence
Impact
This is a sensitive credential exposure vulnerability (CWE-532). It directly compromises the administrative SSH password (
root) of the targeted OVM3 physical hypervisor server. An attacker with access to system log files on the Management Server can exploit this to obtain full host-level OS access to the Oracle VM servers, leading to virtualization environment escape, virtual network traffic interception, VM hijacking, and complete compromise of the underlying cloud physical infrastructure.Affected products
Severity
Weaknesses
Occurrences
cloudstack/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/helpers/Ovm3HypervisorSupport.java
Lines 277 to 283 in 348ce95
ConfigurationExceptionmessage when authentication fails during setup.cloudstack/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java
Lines 318 to 324 in 348ce95
ConfigurationExceptioninto aCloudRuntimeException, causing it to propagate to logs.