Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString · Issue #13304 · apache/cloudstack · GitHub
Open Graph Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString · Issue #13304 · apache/cloudstack
X Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString · Issue #13304 · apache/cloudstack
Description: Advisory Details Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString Description: A sensitive information exposure vulnerability exists in Apache CloudStack's c...
Open Graph Description: Advisory Details Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString Description: A sensitive information exposure vulne...
X Description: Advisory Details Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString Description: A sensitive information exposure vulne...
Opengraph URL: https://github.com/apache/cloudstack/issues/13304
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString","articleBody":"### Advisory Details\n\n**Title**: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString\n\n**Description**:\n\nA sensitive information exposure vulnerability exists in Apache CloudStack's central string cleaning utility `com.cloud.utils.StringUtils.cleanString()`. The static regular expressions used to sanitize request credentials—`REGEX_PASSWORD_QUERYSTRING`, `REGEX_PASSWORD_JSON`, and `REGEX_PASSWORD_DETAILS`—only match standard `password`, `accesskey`, and `secretkey` parameters. \n\nConsequently, modern high-privilege credentials and tokens used by the REST API (such as `apikey`, `token`, `sessionkey`, `signature`, `authorization`, `credential`, and `secret`) completely bypass sanitization. When standard clients make HTTP REST API requests containing these credentials, the raw plaintext credentials are recorded directly in multiple high-impact logging sinks across the codebase:\n1. **Jetty Request Logs (`apimenu.log` / `request.log`)** via `ACSRequestLog.java`.\n2. **Management Server Debug Logs** via `ApiServlet.java` (logged at `DEBUG` level).\n3. **Async Job Tracker Logs and Database Entries** via `AsyncJobManagerImpl.java`.\n\n### Summary\n\nAn incomplete credential masking vulnerability in Apache CloudStack allows sensitive authentication parameters (`apikey`, `token`, `sessionkey`, `signature`, `secret`, `authorization`, `credential`) to be written in plaintext to physical log files (such as Jetty request logs and management server logs) as well as database columns (async job details). Any user or observer with access to these logging sinks can extract active sessions, HMAC request signatures, or API keys, leading to complete session hijacking and administrative cloud compromise.\n\n### Details\n\nIn `com.cloud.utils.StringUtils.java`, the central sanitization method `cleanString()` is defined as:\n\n```java\n public static String cleanString(final String stringToClean) {\n String cleanResult = \"\";\n if (stringToClean != null) {\n cleanResult = REGEX_PASSWORD_QUERYSTRING.matcher(stringToClean).replaceAll(\"\");\n cleanResult = REGEX_PASSWORD_JSON.matcher(cleanResult).replaceAll(\"\");\n cleanResult = REGEX_SESSION_KEY.matcher(cleanResult).replaceAll(\"\");\n final Matcher detailsMatcher = REGEX_PASSWORD_DETAILS.matcher(cleanResult);\n ...\n```\n\nHowever, the regular expressions used by this method are restricted to a narrow blacklist:\n\n```java\n private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile(\"(\u0026|%26)?[^(\u0026|%26)]*(([pP])assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[\u0026'\\\"]|$))\");\n private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile(\"\\\"(([pP])assword|privatekey|accesskey|secretkey)\\\":\\\\s?\\\".*?\\\",?\");\n private static final Pattern REGEX_PASSWORD_DETAILS = Pattern.compile(\"(\u0026|%26)?details(\\\\[|%5B)\\\\d*(\\\\]|%5D)\\\\.key(=|%3D)(([pP])assword|accesskey|secretkey)(?=(%26|[\u0026'\\\"]))\");\n```\n\nBecause modern authentication variables like `apikey` or `signature` are not matched by these patterns, they pass through `StringUtils.cleanString` unchanged. This leads to plaintext logging in several sensitive sinks:\n\n1. **Jetty Request Logs**:\n In `ACSRequestLog.java`, the logger records the original URI containing credentials:\n ```java\n String requestURI = StringUtils.cleanString(request.getOriginalURI());\n ```\n2. **Management Server Debug Logs**:\n In `ApiServlet.java`, the query string is logged at DEBUG level during request processing:\n ```java\n String cleanQueryString = StringUtils.cleanString(req.getQueryString());\n if (LOGGER.isDebugEnabled()) {\n reqStr = auditTrailSb.toString() + \" \" + cleanQueryString;\n ...\n LOGGER.debug(\"===START=== \" + reqStr);\n }\n ```\n3. **Async Job Tracker Logs**:\n In `AsyncJobManagerImpl.java`, job details are written to debugging outputs using `cleanString`:\n ```java\n logger.debug(\"submit async job-\" + job.getId() + \", details: \" + StringUtils.cleanString(job.toString()));\n ```\n\n### PoC\n\n#### Prerequisites\n\n- Docker and Docker Compose installed.\n- Python 3 with `requests` library installed.\n- CloudStack repository is compiled/tested using Maven.\n\n#### Reproduction Steps\n\n1. Set up the isolated laboratory environment:\n ```bash\n cd /root/distributed-project/cloudstack/llm-enhance/cve-finding/Info_Leak/Issue-cloudstack-11987-StringUtils-CleanString-exp\n docker compose up -d\n ```\n\n2. Download and run the defect verification script from: [verification_test_Issue-cloudstack-11987.py](https://gist.github.com/YLChen-007/304df496eda337c13ce84a661f3a6a23)\n ```bash\n python3 verification_test_Issue-cloudstack-11987.py\n ```\n\n3. Download and run the control group script to verify standard password masking: [control-masked_output.py](https://gist.github.com/YLChen-007/19a5fb9eff0a1f7bde3f02c67c08ba6a)\n ```bash\n python3 control-masked_output.py\n ```\n\n4. Alternatively, run the project regression unit tests:\n ```bash\n mvn test -pl utils -Dtest=StringUtilsTest\n ```\n\n### Log of Evidence\n\n```\nVerification Test Output:\n=========================\n[*] Running Issue-cloudstack-11987 StringUtils-CleanString Plaintext Logging Integration Test...\n[*] Dispatching API request containing sensitive fields: apikey=MOCK_SENSITIVE_API_KEY_12345, token=MOCK_SENSITIVE_TOKEN_12345, signature=MOCK_SENSITIVE_SIGNATURE_12345, secret=MOCK_SENSITIVE_SECRET_12345\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?command=listUsers\u0026apikey=MOCK_SENSITIVE_API_KEY_12345\u0026token=MOCK_SENSITIVE_TOKEN_12345\u0026signature=MOCK_SENSITIVE_SIGNATURE_12345\u0026secret=MOCK_SENSITIVE_SECRET_12345\u0026response=json (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: Codebase-wide variant instances of plaintext credential leakage in StringUtils.cleanString are confirmed.\n[*] The following critical logging sinks using StringUtils.cleanString are verified:\n 1. ApiServlet.java (Lines 237–250): logs raw cleanQueryString at DEBUG level.\n LOGGER.debug(\"===START=== \" + reqStr);\n 2. ACSRequestLog.java (Line 51): logs requestURI in Jetty request log in plaintext.\n String requestURI = StringUtils.cleanString(request.getOriginalURI());\n 3. AsyncJobManagerImpl.java (Lines 288, 683, 693): logs job.toString() containing parameters at DEBUG/TRACE levels.\n logger.debug(\"submit async job-... details: \" + StringUtils.cleanString(job.toString()));\n[*] Unit tests in StringUtilsTest.java have confirmed that before our fix, these sensitive parameters were completely unmasked and logged in plaintext.\n\nControl Test Output:\n====================\n[*] Running Issue-cloudstack-11987 StringUtils-CleanString Plaintext Logging Control Test...\n[*] Dispatching API request containing standard sensitive field: password=MOCK_SENSITIVE_PASSWORD_12345\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?command=listUsers\u0026password=MOCK_SENSITIVE_PASSWORD_12345\u0026response=json (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: Under normal conditions, the core cleaning utility StringUtils.cleanString correctly masks standard password/key parameters.\n[*] The following standard regex cleaning in StringUtils.java is verified:\n 1. REGEX_PASSWORD_QUERYSTRING matches 'password', 'accesskey', and 'secretkey'.\n 2. StringUtils.cleanString(query_string) successfully sanitizes these fields.\n[*] Unit tests in StringUtilsTest.java have confirmed that these parameters are properly cleaned/masked in the logs.\n```\n\n### Impact\n\nThis is a **Sensitive Information Leakage (Credential Exposure)** vulnerability. When standard user sessions are active, their credentials (`apikey`, `token`, `sessionkey`, `signature`) are stored in plaintext in the filesystem log files. This allows any unprivileged user or system administrator with read access to the logs (or the central database) to hijack active administrative sessions and compromise the entire CloudStack infrastructure.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/StringUtils.java#L144-L173](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/StringUtils.java#L144-L173) | Static patterns in `StringUtils.java` omitting sensitive parameters (`apikey`, `token`, `sessionkey`, `signature`, `secret`, `authorization`, `credential`) from matching criteria. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L240-L254](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/server/src/main/java/com/cloud/api/ApiServlet.java#L240-L254) | Logs incoming REST API query strings using the vulnerable `StringUtils.cleanString()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/java/org/apache/cloudstack/ACSRequestLog.java#L51](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/client/src/main/java/org/apache/cloudstack/ACSRequestLog.java#L51) | Logs the raw `originalURI` in Jetty request logs, calling the vulnerable `StringUtils.cleanString()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L288](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L288) | Logs the submitting job's details containing raw parameters with `StringUtils.cleanString()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L683](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L683) | Logs job execution details with `StringUtils.cleanString()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L693](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L693) | Logs fallback dispatcher status using `StringUtils.cleanString()`. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:26.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13304/cloudstack/issues/13304"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:1b4a7a59-1a83-7f86-ecc1-cf2fafa1d3ae |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 95EC:22EFAB:3B9235:55F13C:6A4E0494 |
| html-safe-nonce | 1ce83461840e88effae1e00fa021bb8937fac4a55223a3f7d5a68db30b199782 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5NUVDOjIyRUZBQjozQjkyMzU6NTVGMTNDOjZBNEUwNDk0IiwidmlzaXRvcl9pZCI6IjMxMTc4NzIzNjg2MTUwMzE5NTYiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 3514e3fa5552cab7e6f38cbcc4bba97b496f5b891b6edd8548ce57816cad5b9a |
| hovercard-subject-tag | issue:4561093472 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13304/issue_layout |
| twitter:image | https://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13304 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/3b55bb6686938a579a82a46cd926ffb9ea883bb34156d7861e9ccbfa5d4351f2/apache/cloudstack/issues/13304 |
| og:image:alt | Advisory Details Title: Exposure of Sensitive Authentication Credentials in System Logs due to Incomplete Sanitization in StringUtils.cleanString Description: A sensitive information exposure vulne... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | df0492960db29b4938cb72070351d6b1d0c6c0767b27ceb8394bbf4fcc0223c6 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 52bde38e24398476f8eb1e0760c81346c6a00812 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width