Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack · GitHub
Open Graph Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack
X Title: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`) · Issue #13301 · apache/cloudstack
Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing ...
Open Graph Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating...
X Description: Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating...
Opengraph URL: https://github.com/apache/cloudstack/issues/13301
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`)","articleBody":"### Advisory Details\n\n**Title**: Sensitive Password Leak in Async Job Status Update Logging (`updateAsyncJobStatus`)\n\n**Description**:\nIn Apache CloudStack, any asynchronous task triggered by a user (e.g. creating virtual machines, volumes, or managing templates) is executed under the asynchronous job framework (`cloud-framework-jobs`). During execution, progress or status updates are processed and logged by the management server via `AsyncJobManagerImpl.updateAsyncJobStatus`.\n\nWhile the developers previously patched a sensitive password leak in the job completion logger (`completeAsyncJob`), they completely missed `updateAsyncJobStatus`. Specifically, in [AsyncJobManagerImpl.java](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442), progress/status updates were directly logged in plain text when `DEBUG` logging was enabled:\n```java\n @Override\n @DB\n public void updateAsyncJobStatus(final long jobId, final int processStatus, final String resultObject) {\n if (logger.isDebugEnabled()) {\n logger.debug(\"Update async-job progress, job-\" + jobId + \", processStatus: \" + processStatus + \", result: \" + resultObject);\n }\n```\n\nIf an asynchronous operation reports progress containing a serialized command response, database configuration, or credentials (such as standard fields containing `\"password\"`), these raw, unmasked secrets will leak directly into the management server log files.\n\n---\n\n### Summary\n\nAn information exposure vulnerability exists in Apache CloudStack's asynchronous job execution framework (`cloud-framework-jobs`). When `DEBUG` level logging is enabled on the management server, intermediate status/progress updates containing raw, unmasked sensitive credentials (such as standard `\"password\"` fields) are printed in plain text directly to the system log via `AsyncJobManagerImpl.updateAsyncJobStatus`. This bypasses existing password obfuscation mechanisms implemented in other parts of the job framework.\n\n---\n\n### Details\n\nDuring asynchronous job execution, progress updates are logged via `AsyncJobManagerImpl.updateAsyncJobStatus`. Unlike `AsyncJobManagerImpl.completeAsyncJob`, which properly obfuscates user passwords using `convertHumanReadableJson(obfuscatePassword(resultObject, HidePassword.value()))`, `updateAsyncJobStatus` directly outputs `resultObject` to the logger without any filtering or sanitization. Consequently, any JSON payload containing sensitive fields such as `\"password\"` or database configurations with credentials is written in plain text to log files, exposing them to any user or internal service with log access.\n\n---\n\n### PoC\n\n#### Prerequisites\n- A standard Java and Maven build environment.\n- The `org.apache.cloudstack:cloud-framework-jobs` module compiled.\n- Logging level for `org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl` configured to `DEBUG`.\n\n#### Reproduction Steps\n\n1. Download the Docker Environment Configuration file: [docker-compose.yml](https://gist.github.com/YLChen-007/e804cb11fb975c6d23a81fc8d6b95c0f)\n2. Download the Replication Test Automation script: [verification_test_Issue-cloudstack-8854.py](https://gist.github.com/YLChen-007/685a0d477c87272d11ccb5cab2fe2d2a)\n3. Download the Control Group Test script: [control-obfuscation_check.py](https://gist.github.com/YLChen-007/41c50a13a5beec322cc672a014eee7f4)\n4. Execute the replication script from the root of the workspace to build the module, run the regression test, and witness the plain text leak:\n ```bash\n python3 verification_test_Issue-cloudstack-8854.py\n ```\n5. Execute the control group script to verify that the password obfuscation logic functions correctly under normal conditions:\n ```bash\n python3 control-obfuscation_check.py\n ```\n\n---\n\n### Log of Evidence\n\n```text\n23:13:05.397 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - Update async-job progress, job-1, processStatus: 1, result: {\"password\":\"mysecretpassword\",\"other\":\"field\"}\n23:13:05.402 [main] DEBUG org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl - job-1 no longer exists, we just log progress info here. progress status: 1\nCaptured Writer Log Output:\nUpdate async-job progress, job-1, processStatus: 1, result: {\"password\":\"mysecretpassword\",\"other\":\"field\"}job-1 no longer exists, we just log progress info here. progress status: 1\n[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 1.185 s \u003c\u003c\u003c FAILURE! - in org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest\n[ERROR] testUpdateAsyncJobStatusObfuscation(org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest) Time elapsed: 0.754 s \u003c\u003c\u003c FAILURE!\njava.lang.AssertionError: Vulnerability Triggered: plaintext password leaked!\n at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImplTest.testUpdateAsyncJobStatusObfuscation(AsyncJobManagerImplTest.java:118)\n```\n\n---\n\n### Impact\n\n- **Vulnerability Type**: Information Exposure / Log Injection of Sensitive Credentials\n- **Asset Compromise**: High. Exposing administrator and virtual machine passwords or other private API keys inside standard log files allows local attackers, internal users, or compromised log ingestion pipelines (ELK, Splunk) to gain complete access to hypervisors, OOB/IPMI consoles, and private cloud infrastructure.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-framework-jobs\n- **Affected versions**: \u003c= 4.22.1.0 (commit: `348ce953a99246a756b527994f7745a7be038234`)\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n\n---\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L438-L442) | The vulnerable logging statement inside `updateAsyncJobStatus` method that prints raw progress results containing plain text passwords without any obfuscation filter. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:04:43.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13301/cloudstack/issues/13301"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:e0945fcd-f197-6c32-7020-292e165e07f0 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | ED8C:D3583:9F5D46:DC1122:6A4DDDC9 |
| html-safe-nonce | fb6a89dd355740be62e63039a1dfc1876109fbbab85600de894354e41fc847f9 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFRDhDOkQzNTgzOjlGNUQ0NjpEQzExMjI6NkE0REREQzkiLCJ2aXNpdG9yX2lkIjoiODYzNzAwODM2MzA2MDU4Mzg4MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | a20504323602d52ae3e8c0a8eeddc7f1b82000d48cb666d9de64f0636a47b6d3 |
| hovercard-subject-tag | issue:4561051767 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13301/issue_layout |
| twitter:image | https://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13301 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13301 |
| og:image:alt | Advisory Details Title: Sensitive Password Leak in Async Job Status Update Logging (updateAsyncJobStatus) Description: In Apache CloudStack, any asynchronous task triggered by a user (e.g. creating... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width