[Security] Apache CloudStack `ApiServlet` logs duplicate sensitive query parameter values in plaintext before authentication

[YLChen-007]

Advisory Details

Title: Apache CloudStack ApiServlet logs duplicate sensitive query parameter values in plaintext before authentication

Description:

Summary

Apache CloudStack exposes a sensitive information disclosure issue in the /client/api request entrypoint. When a request contains duplicate query parameters, com.cloud.api.ApiServlet emits a WARN log stating that only the last value will be respected. For sensitive parameters such as password, the servlet formats the warning with Arrays.toString(v) and writes the raw values to the log before authentication, request verification, or command dispatch occurs. A remote caller can therefore cause plaintext credential material to be recorded in management logs even when the HTTP request itself fails with 401 Unauthorized.

Details

The issue is in server/src/main/java/com/cloud/api/ApiServlet.java. Inside processRequestInContext, CloudStack reads the servlet parameter map and immediately passes it to checkSingleQueryParameterValue(reqParams). That helper logs duplicate values without masking sensitive keys.

private void checkSingleQueryParameterValue(Map<String, String[]> params) {
    params.forEach((k, v) -> {
        if (v.length > 1) {
            String message = String.format("Query parameter '%s' has multiple values %s. Only the last value will be respected." +
                "It is advised to pass only a single parameter", k, Arrays.toString(v));
            LOGGER.warn(message);
        }
    });
}

The vulnerable control flow is:

1. External caller reaches /client/api through Jetty.
2. ApiServlet.processRequestInContext(...) calls req.getParameterMap().
3. checkSingleQueryParameterValue(reqParams) executes before verifyRequest(...).
4. LOGGER.warn(...) writes duplicate sensitive values in plaintext.
5. Only after that does the request continue into UTF-8 fixup, authentication, and API dispatch.

This is why the issue is reachable from an external network client without valid credentials. In the manual and automated verification environment, the request returned 401, but the warning log still contained both password values.

The servlet is the standard API front door defined in client/src/main/webapp/WEB-INF/web.xml:

<servlet>
    <servlet-name>apiServlet</servlet-name>
    <servlet-class>com.cloud.api.ApiServlet</servlet-class>
    <load-on-startup>5</load-on-startup>
</servlet>
<servlet-mapping>
     <servlet-name>apiServlet</servlet-name>
     <url-pattern>/api/*</url-pattern>
</servlet-mapping>

PoC

Prerequisites

• A checkout of Apache CloudStack on the affected branch or release.
• Java, Maven, and Python 3 installed locally.
• Network access to fetch Maven dependencies.
• The PoC uses a minimal Jetty harness because a full current-branch management-server E2E startup was not stable in this lab. The vulnerable code path itself is the real ApiServlet from the target project.

Reproduction Steps

1. Download the harness launcher from: start_harness.sh
2. Download the minimal servlet harness from: ApiServletHarnessServer.java
3. Download the Log4j harness config from: log4j2-harness.xml
4. Download the automation wrapper from: verification_test.py
5. Optionally download the control case from: control-normal_behavior.py
6. Place the files in one working directory with ApiServletHarnessServer.java under src/.
7. Start the PoC harness:
   bash start_harness.sh --port 18085
8. In another terminal, send a duplicate sensitive parameter request:
   curl -i 'http://127.0.0.1:18085/client/api?command=listCapabilities&response=json&password=MANUAL_SECRET_ONE&password=MANUAL_SECRET_TWO'
9. Observe the harness console output. The request may return 401 Unauthorized, but the server log will contain both password values in the WARN line.
10. For an automated check, run:
    python3 verification_test.py

Log of Evidence

Manual trigger evidence captured during verification:

HTTP/1.1 401 Unauthorized
...
{"error":"stubbed after duplicate-parameter check"}

WARN com.cloud.api.ApiServlet - Query parameter 'password' has multiple values [MANUAL_SECRET_ONE, MANUAL_SECRET_TWO]. Only the last value will be respected.It is advised to pass only a single parameter

Automated verification evidence:

[MODE] Integration-Test
[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter 'password' has multiple values [EXP_SECRET_ALPHA_8852, EXP_SECRET_BETA_8852]. Only the last value will be respected.It is advised to pass only a single parameter
[OBSERVED_LEAK_ALPHA] True
[OBSERVED_LEAK_BETA] True
[CLASSIFICATION] DEFECT-CONFIRMED-WITH-LIMITATIONS

Control evidence:

[MODE] Integration-Test Control
[OBSERVED_WARNING] WARN com.cloud.api.ApiServlet - Query parameter 'username' has multiple values [CONTROL_USER_ALPHA_8852, CONTROL_USER_BETA_8852]. Only the last value will be respected.It is advised to pass only a single parameter
[OBSERVED_PASSWORD_SECRET] False
[CONTROL] SUCCESS

Impact

This is an information disclosure vulnerability in the API control plane. Any actor who can send requests to /client/api can force plaintext sensitive values into management logs simply by repeating a sensitive parameter name. The immediate impact is credential leakage to anyone with access to local logs, centralized log collection, support bundles, or backups. Depending on the leaked parameter, this can expose administrator passwords, API secrets, session tokens, or other credentials that can later be reused against CloudStack.

Affected products

• Ecosystem: maven
• Package name: org.apache.cloudstack:cloudstack
• Affected versions: <= 4.22.1.0
• Patched versions:

Severity

• Severity: Medium
• Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

• CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Occurrences

Permalink	Description
cloudstack/server/src/main/java/com/cloud/api/ApiServlet.java Lines 199 to 204 in 348ce95 private void checkSingleQueryParameterValue(Map<String, String[]> params) { params.forEach((k, v) -> { if (v.length > 1) { String message = String.format("Query parameter '%s' has multiple values %s. Only the last value will be respected." + "It is advised to pass only a single parameter", k, Arrays.toString(v)); LOGGER.warn(message);	checkSingleQueryParameterValue formats duplicate query parameter values with Arrays.toString(v) and writes them directly with LOGGER.warn(...) without any sensitive-key masking.
cloudstack/server/src/main/java/com/cloud/api/ApiServlet.java Lines 229 to 230 in 348ce95 Map<String, String[]> reqParams = req.getParameterMap(); checkSingleQueryParameterValue(reqParams);	processRequestInContext invokes the duplicate-parameter warning path immediately after req.getParameterMap(), before authentication and request verification.
cloudstack/client/src/main/webapp/WEB-INF/web.xml Lines 45 to 60 in 348ce95 <servlet> <servlet-name>apiServlet</servlet-name> <servlet-class>com.cloud.api.ApiServlet</servlet-class> <load-on-startup>5</load-on-startup> </servlet> <servlet> <servlet-name>consoleServlet</servlet-name> <servlet-class>com.cloud.servlet.ConsoleProxyServlet</servlet-class> <load-on-startup>6</load-on-startup> </servlet> <servlet-mapping> <servlet-name>apiServlet</servlet-name> <url-pattern>/api/*</url-pattern> </servlet-mapping>	The standard /client/api servlet mapping shows this vulnerable code is on the default external HTTP API path.