Title: Sensitive Data Exposure Through Exception Logging in OVM Hypervisor Configuration · Issue #12031 · apache/cloudstack · GitHub
Open Graph Title: Sensitive Data Exposure Through Exception Logging in OVM Hypervisor Configuration · Issue #12031 · apache/cloudstack
X Title: Sensitive Data Exposure Through Exception Logging in OVM Hypervisor Configuration · Issue #12031 · apache/cloudstack
Description: Description We have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The password is embedded in an exception message...
Open Graph Description: Description We have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The pass...
X Description: Description We have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The pass...
Opengraph URL: https://github.com/apache/cloudstack/issues/12031
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Data Exposure Through Exception Logging in OVM Hypervisor Configuration","articleBody":"## Description\n\nWe have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The password is embedded in an exception message and subsequently logged when the exception is caught.\n\n## Data Flow\n\n### 1. Exception Thrown with Password in Message\n\nIn `com.cloud.ovm.hypervisor.OvmResourceBase.setupServer`, when an SSH connection fails, a `CloudRuntimeException` is thrown with the password included in the error message:\n\n```java\n// com.cloud.ovm.hypervisor.OvmResourceBase.setupServer()\nprotected void setupServer() throws IOException {\n ...\n if (sshConnection == null) {\n throw new CloudRuntimeException(String.format(\"Cannot connect to ovm host(IP=%1$s, username=%2$s, password=%3$s\", \n _ip, _username, _password)); // ← Password embedded in exception message\n }\n ...\n }\n```\n\n### 2. Exception Logged with Sensitive Data\n\nIn `com.cloud.ovm.hypervisor.OvmResourceBase.configure`, the exception is caught and logged at DEBUG level, which causes the password to be written to the application logs:\n\n```java\n// com.cloud.ovm.hypervisor.OvmResourceBase.configure(String name, Map\u003cString, Object\u003e params)\n try {\n setupServer();\n } catch (Exception e) {\n logger.debug(\"Setup server failed, ip \" + _ip, e); // ← Exception with password logged here\n throw new ConfigurationException(\"Unable to setup server\");\n }\n```\n\n## Vulnerability Analysis\n\nThe vulnerability chain consists of:\n\n1. **Password in Exception Message**: The `setupServer()` method constructs an exception message that includes the plaintext password used for SSH authentication\n2. **Exception Propagation**: The exception is thrown and caught by the calling method\n3. **Debug Logging**: The caught exception (including its message containing the password) is logged at DEBUG level\n4. **Log Persistence**: The password is permanently written to log files where it can be accessed by unauthorized parties\n","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2025-11-08T12:52:38.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/12031/cloudstack/issues/12031"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:c1184d54-a779-c7b9-e1a0-e22138b9708b |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | A6DA:9775E:1A36FD7:23CBF04:6A4F1916 |
| html-safe-nonce | 021712dc6a6f7142b27872b5e6f9e9ac2ff3db23e0b00b0de1b0a7e5d7307e42 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBNkRBOjk3NzVFOjFBMzZGRDc6MjNDQkYwNDo2QTRGMTkxNiIsInZpc2l0b3JfaWQiOiI1NjA0NTEyNDg1NzE1NDE3MzY2IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 9cbd18f6cc2357b5be65a967f16b3d5810de5f9de7961ec0944f53babc4407d5 |
| hovercard-subject-tag | issue:3603533764 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/12031/issue_layout |
| twitter:image | https://opengraph.githubassets.com/5975e2b9316181c3dd439a5a5a60cbcc6ce91165b076e7908791f72cfbc12290/apache/cloudstack/issues/12031 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/5975e2b9316181c3dd439a5a5a60cbcc6ce91165b076e7908791f72cfbc12290/apache/cloudstack/issues/12031 |
| og:image:alt | Description We have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The pass... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 2b8f23afb982271f1b22258a94aede67a6b77760 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width