Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs · Issue #13298 · apache/cloudstack · GitHub
Open Graph Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs · Issue #13298 · apache/cloudstack
X Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs · Issue #13298 · apache/cloudstack
Description: Advisory Details Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs Description: A sensitive logging vulnerability exists in the Apache CloudStack PING PXE baremetal plugin. When orchestrating...
Open Graph Description: Advisory Details Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs Description: A sensitive logging vulnerability exists in the Apache CloudStack PING ...
X Description: Advisory Details Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs Description: A sensitive logging vulnerability exists in the Apache CloudStack PING ...
Opengraph URL: https://github.com/apache/cloudstack/issues/13298
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs","articleBody":"### Advisory Details\n\n**Title**: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs\n\n**Description**:\n\nA sensitive logging vulnerability exists in the Apache CloudStack PING PXE baremetal plugin. When orchestrating resources or preparing booting files on baremetal hosts, the CloudStack Management Server constructs commands containing raw VM user-data (`userdata`), public keys, and CIFS storage password configurations, executing them over SSH.\nHowever, the underlying execution logging helper `SSHCmdHelper.sshExecuteCmdOneShot` only attempts to sanitize command arguments using a crude split logic targeted at `KeyStoreUtils.KS_FILENAME` (`\"cloud.jks\"`). Since baremetal orchestration commands never contain `\"cloud.jks\"`, the split fails to mask any characters, logging the entire command—including raw plaintext credentials and user configuration details—directly into standard system debug logs (e.g., `vmops.log` or `management-server.log`).\n\n### Summary\n\nAn information exposure vulnerability (CWE-532) in the Apache CloudStack Baremetal PING PXE plugin allows any local actor or system administrator with access to debug logs to read plaintext sensitive VM initialization secrets (user-data), SSH keys, and CIFS network storage passwords.\n\n### Details\n\nThe vulnerability manifest itself in two critical variants in `BaremetalPingPxeResource.java`:\n\n#### Variant 1: VM Metadata Exposure via VmDataCommand\nIn `BaremetalPingPxeResource.java` inside `execute(VmDataCommand cmd)`, VM custom metadata is assembled into a single string argument and formatted into a python script call:\n```java\n String script = String.format(\"python /usr/bin/baremetal_user_data.py '%s'\", arg);\n if (!SSHCmdHelper.sshExecuteCmd(sshConnection, script)) {\n return new Answer(cmd, false, \"Failed to add user data, command:\" + script);\n }\n```\nThe variable `arg` contains the plaintext custom user-data (which often holds database passwords, configuration keys, or startup secrets) and public SSH keys.\n\n#### Variant 2: Plaintext CIFS Storage Credential Leakage\nSimilarly, in `execute(PreparePxeServerCommand)` and `execute(PrepareCreateTemplateCommand)`, the resource's CIFS mount storage credential (`_cifsPassword`) is concatenated directly into the shell script format:\n```java\n String script =\n String.format(\"python /usr/bin/prepare_tftp_bootfile.py restore %1$s %2$s %3$s %4$s %5$s %6$s %7$s %8$s %9$s %10$s %11$s\", _tftpDir, cmd.getMac(),\n _storageServer, _share, _dir, cmd.getTemplate(), _cifsUserName, _cifsPassword, cmd.getIp(), cmd.getNetMask(), cmd.getGateWay());\n```\n\nBoth methods route their command execution through `SSHCmdHelper.sshExecuteCmd(sshConnection, script)`. This delegates to `SSHCmdHelper.sshExecuteCmdOneShot`, which implements the logging logic:\n```java\nLOGGER.debug(\"Executing cmd: \" + cmd.split(KeyStoreUtils.KS_FILENAME)[0]);\n```\nSince `KeyStoreUtils.KS_FILENAME` is defined as `\"cloud.jks\"` in `KeyStoreUtils.java`, commands without `\"cloud.jks\"` do not match, evaluating `cmd.split(\"cloud.jks\")[0]` to the original unsanitized string. Consequently, all custom user secrets, SSH public keys, and CIFS mount passwords flow directly into debug logs in plaintext.\n\n### PoC\n\n#### Prerequisites\n\n* Debug logging level enabled on Apache CloudStack Management Server or Agent.\n* PING PXE baremetal plugin configured and active.\n\n#### Reproduction Steps\n\n1. Download the isolated container configuration script from: [docker-compose.yml](https://gist.github.com/YLChen-007/16de890d60948928ff4388ceb06a1f5a)\n2. Download the defect verification script from: [verification_test.py](https://gist.github.com/YLChen-007/d8077c9d6caebf62296f42df517b2dfc)\n3. Download the scientific control test script from: [control-masked_output.py](https://gist.github.com/YLChen-007/32b3be9a34f4a4498bc7b43abcc6f711)\n4. Execute the defect verification script:\n ```bash\n python3 verification_test.py\n ```\n5. Confirm that raw credentials (e.g., `PlaintextSuperSecretPassword123`, `StorageCIFSSuperSecurePassword789!`) are fully leaked under the logged commands section.\n\n### Log of Evidence\n\n```\n[*] Running Issue-cloudstack-12030-BaremetalPingPxe Sensitive Data Exposure Verification...\n[*] Defect Verification - Input Tracing:\n - Sensitive VM User-Data: PlaintextSuperSecretPassword123\n - Sensitive SSH Public Key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuVariantPublicSSHKey\n - Sensitive CIFS Storage Password: StorageCIFSSuperSecurePassword789!\n\n--- EXPERIMENT RESULTS (DEBUG LOGS) ---\n[*] Logged VmDataCommand: python /usr/bin/baremetal_user_data.py '10.0.0.10,metadata,userdata,PlaintextSuperSecretPassword123;10.0.0.10,metadata,sshkey,ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuVariantPublicSSHKey'\n[*] Logged CIFS Command: python /usr/bin/prepare_tftp_bootfile.py restore /tftpboot 00:11:22:33:44:55 192.168.1.10 share dir template cifs_user StorageCIFSSuperSecurePassword789! 10.0.0.10 255.255.255.0 10.0.0.1\n---------------------------------------\n\n[+] SUCCESS: Plaintext sensitive credentials leaked successfully in standard debug logs!\n[+] Status: DEFECT-CONFIRMED\n```\n\n### Impact\n\nThis is a high-severity information exposure vulnerability (CWE-532).\nIf successfully triggered:\n* Attackers with system log access can hijack virtual/baremetal environments by reading raw tenant configurations (user-data, containing startup credentials, database secrets, or API keys).\n* Tenant SSH keys can be exposed, bypassing VM shell access constraints.\n* Core infrastructure CIFS storage network credentials will be exposed, potentially allowing unauthorized actors to compromise and modify base operating system template files.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L157-L162](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L157-L162) | CIFS password exposure during `PreparePxeServerCommand` execution in `BaremetalPingPxeResource.java`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L185-L190](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L185-L190) | CIFS password exposure during `PrepareCreateTemplateCommand` execution in `BaremetalPingPxeResource.java`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L217-L246](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/baremetal/src/main/java/com/cloud/baremetal/networkservice/BaremetalPingPxeResource.java#L217-L246) | VM custom user-data and SSH public key exposure during `VmDataCommand` execution in `BaremetalPingPxeResource.java`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L167) | Root cause split-based logging logic in `SSHCmdHelper.sshExecuteCmdOneShot` failing to sanitize commands lacking `\"cloud.jks\"`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L230) | Command output logging in `SSHCmdHelper.sshExecuteCmdOneShot` failing to sanitize logs for commands lacking `\"cloud.jks\"`. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:03:58.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13298/cloudstack/issues/13298"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:ada0c78b-2906-77ec-9d49-00a5ad1afc86 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C4AA:6435C:D0A52E:12372B3:6A4E8BCA |
| html-safe-nonce | e3002b000cd6993a98cda504c23a06f5d18f442511ef1f87c8666a4101817863 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDNEFBOjY0MzVDOkQwQTUyRToxMjM3MkIzOjZBNEU4QkNBIiwidmlzaXRvcl9pZCI6IjM3OTQwNTkyMjQ5ODk3MzE3ODYiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 4e9f91938fffbe648eec5d84888c3c62355339f592447cc0d80b8916810e503a |
| hovercard-subject-tag | issue:4561048061 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13298/issue_layout |
| twitter:image | https://opengraph.githubassets.com/065c5408bb68c32c56584dff06e313ab6d32700632134787c66dc7c28459dffd/apache/cloudstack/issues/13298 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/065c5408bb68c32c56584dff06e313ab6d32700632134787c66dc7c28459dffd/apache/cloudstack/issues/13298 |
| og:image:alt | Advisory Details Title: Sensitive User Data and Storage Credentials Exposure in Baremetal PING PXE Resource Logs Description: A sensitive logging vulnerability exists in the Apache CloudStack PING ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 41b6ab3ba6d20a71766ac245b5a4a94c6fc672a9cd4da7d44c1b33ab8bf6a21c |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e6a744804e8e70f97b4d5a18a94dcc63db22f97a |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width