Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack · GitHub
Open Graph Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack
X Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations · Issue #13303 · apache/cloudstack
Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credential exposure when registering and configur...
Open Graph Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia...
X Description: Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia...
Opengraph URL: https://github.com/apache/cloudstack/issues/13303
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations","articleBody":"### Advisory Details\n\n**Title**: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations\n\n**Description**:\nApache CloudStack is vulnerable to plaintext credential exposure when registering and configuring external network element providers (such as VMware NSX, Netris, or BigSwitch BCF) and hypervisors (such as Oracle OVM3). During configuration initialization (`configure` method), the resource managers check for the existence of mandatory properties (like `port` or `url`). If a required parameter is missing or connection fails, the resource managers throw a `ConfigurationException` that stringifies the entire unmasked configuration parameters map (`params`), which contains the cleartext administrator or agent password. \nThis exception is captured by the outer Management Server framework and is both directly returned to the calling client in the JSON HTTP REST API error response (`errortext` field) and logged as cleartext in system logs (`management-server.log`). In addition, `Ovm3HypervisorResource` prints the raw parameter map in debug mode, causing credentials to be persistently stored in the logging system.\n\n---\n\n### Summary\nAn information exposure vulnerability in Apache CloudStack allows authenticated administrators or network operators to leak and obtain highly privileged plaintext credentials of underlying network elements (VMware NSX, Netris, BigSwitch) and hypervisor agents (OVM3). By submitting a resource configuration request that deliberately omits a required parameter, the platform's exception handling stringifies the entire configuration map, revealing the plaintext password in HTTP REST API error responses and system logs.\n\n---\n\n### Details\nIn Apache CloudStack, administrators configure external infrastructure by invoking REST API commands like `addNsxController`, `addHost`, and `addNetrisDevice`. The framework passes these parameters in a unified `params` Map (`Map\u003cString, Object\u003e`) to the corresponding backend `ServerResource` component.\nFour resource managers fail to properly mask or exclude the raw parameter map when raising exceptions or logging:\n\n1. **`NsxResource.java`** (Lines 186–205)\n When checking mandatory parameters (e.g. `port`, `username`, `password`), if a check fails, the resource manager stringifies `params` in the exception message:\n ```java\n port = (String) params.get(\"port\");\n if (port == null) {\n throw new ConfigurationException(\"Missing NSX port from params: \" + params);\n }\n ```\n Since `params` contains the cleartext `\"password\"` field, it is converted to string and returned in the Exception message.\n\n2. **`NetrisResource.java`** (Lines 190–204)\n Similarly leaks cleartext credentials in Netris element configurations:\n ```java\n endpointUrl = (String) params.get(\"url\");\n if (endpointUrl == null) {\n throw new ConfigurationException(\"Missing Netris provider URL from params: \" + params);\n }\n ```\n\n3. **`BigSwitchBcfResource.java`** (Lines 106–124)\n Leaks credentials in BigSwitch BCF configuration error messages:\n ```java\n String hostname = (String)params.get(\"hostname\");\n if (hostname == null) {\n throw new ConfigurationException(\"Missing host name from params: \" + params);\n }\n ```\n\n4. **`Ovm3HypervisorResource.java`** (Line 308)\n Logs the complete parameter map including unmasked OVS agent passwords in debug logging:\n ```java\n @Override\n public boolean configure(String name, Map\u003cString, Object\u003e params) throws ConfigurationException {\n logger.debug(\"configure \" + name + \" with params: \" + params);\n ```\n\n---\n\n### PoC\n\n#### Prerequisites\n* Python 3.x with the `requests` library installed.\n* CloudStack Management Server administrative API access (or a simulated test environment).\n\n#### Reproduction Steps\nTo reproduce the credential leakage safely and reliably without a full multi-gigabyte Apache CloudStack cluster setup, we use the local mock verification script which simulates the backend resource validation logic:\n\n1. Download the isolated environment setup from: [docker-compose.yml](https://gist.github.com/YLChen-007/890b90176cdcdc1110f91894feda19e5)\n2. Download the Vulnerability Verification PoC script from: [verification_test_Issue-cloudstack-11985-ResourceParams.py](https://gist.github.com/YLChen-007/bdd4c812681c958cb3089fe9e88c3e07)\n3. Download the Control Group Verification script from: [control-masked_exception.py](https://gist.github.com/YLChen-007/49f9ce71c53e1d1acc03e4d4a13be6c6)\n4. Execute the verification test to demonstrate the plaintext password leakage:\n ```bash\n python3 verification_test_Issue-cloudstack-11985-ResourceParams.py\n ```\n5. Execute the control test to confirm that a secured backend correctly masks or omits the parameter map:\n ```bash\n python3 control-masked_exception.py\n ```\n\n---\n\n### Log of Evidence\n\nUpon executing the verification test (`verification_test_Issue-cloudstack-11985-ResourceParams.py`), the following runtime console output confirms the defect by capturing the cleartext password `HighlySensitiveResourcePassword123!` directly in the error response payload:\n\n```\n[*] Starting Local Vulnerability Mock Server...\n[*] Running Issue-cloudstack-11985 ResourceParams Credential Leakage Integration Test...\n[*] Dispatching addNsxController command with sensitive password: HighlySensitiveResourcePassword123!\n[*] Response Status Code: 530\n[*] Response Payload: {'addnsxcontrollerresponse': {'errorcode': 530, 'errortext': \"com.cloud.utils.exception.CloudRuntimeException: javax.naming.ConfigurationException: Missing NSX port from params: {'name': 'mock-nsx-provider', 'hostname': '192.168.1.100', 'username': 'admin', 'password': 'HighlySensitiveResourcePassword123!', 'tier0gateway': 'T0-GW', 'edgecluster': 'Edge-Cluster', 'transportzone': 'TZ-Overlay', 'zoneid': '00000000-0000-0000-0000-000000000000', 'command': 'addNsxController', 'apiKey': 'ADMIN_API_KEY_PLACEHOLDER', 'response': 'json', 'signature': 'ud2x93R63p7cIk/kdPJt1+3lyv8='}\"}}\n[DEFECT CONFIRMED] Plaintext password leaked in the API error response!\n```\n\n---\n\n### Impact\n* **Vulnerability Type**: Information Exposure / Plaintext Credential Leakage (CWE-209 / CWE-532)\n* **Assets Compromised**: High-privilege control-plane infrastructure credentials (including VMware NSX, Netris switches, BigSwitch BCF, and OVM3 hypervisors).\n* **Consequences**: An attacker or operator with device configuration permissions can retrieve the raw plaintext credentials of core SD-WAN controllers and network switches, enabling them to alter overlay network topologies, capture data plane traffic, or bypass boundary controls. In the case of OVM3, leaking agent credentials yields root SSH access on physical hypervisors. Furthermore, the persistent log logging violates standard PCI-DSS and security audit compliance controls.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n---\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n---\n\n### Weaknesses\n\n- **CWE-209**: Generation of Error Message Containing Sensitive Information\n- **CWE-532**: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java#L186-L205) | Vulnerable parameter map stringification inside NsxResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java#L190-L204) | Vulnerable parameter map stringification inside NetrisResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java#L106-L124) | Vulnerable parameter map stringification inside BigSwitchBcfResource configuration validation exceptions. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L308) | Plaintext logging of the parameters map containing passwords inside Ovm3HypervisorResource configuration debug statements. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:13.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13303/cloudstack/issues/13303"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:c898f2bc-de9d-4d67-749d-6c56aa554fd4 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C982:10263B:6608F5:89E517:6A4DD1BB |
| html-safe-nonce | 2e9a807312311a3e9e0da666277929384a795194f5590984b2ca07d76d7aa782 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDOTgyOjEwMjYzQjo2NjA4RjU6ODlFNTE3OjZBNEREMUJCIiwidmlzaXRvcl9pZCI6IjU4Njg1OTIxMTQ3MzI3NDkyNDMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 03e33109330b5c7e8ea8408972363e73374b480ceecee4e26358db9e4041b2d4 |
| hovercard-subject-tag | issue:4561092376 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13303/issue_layout |
| twitter:image | https://opengraph.githubassets.com/8604ed1ad074a3b5076a4b2e3a6afc67bb2f67cf6a8813aae01006b608aea880/apache/cloudstack/issues/13303 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/8604ed1ad074a3b5076a4b2e3a6afc67bb2f67cf6a8813aae01006b608aea880/apache/cloudstack/issues/13303 |
| og:image:alt | Advisory Details Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations Description: Apache CloudStack is vulnerable to plaintext credentia... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width