René's URL Explorer Experiment


Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack · GitHub

Open Graph Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack

X Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs · Issue #13305 · apache/cloudstack

Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache CloudStack, the KVM host agent (cloud-age...

Open Graph Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C...

X Description: Advisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C...

Opengraph URL: https://github.com/apache/cloudstack/issues/13305

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs","articleBody":"### Advisory Details\n\n**Title**: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs\n\n**Description**:\nDuring KVM host certificate setup or renewal procedures in Apache CloudStack, the KVM host agent (`cloud-agent`) utilizes the `com.cloud.utils.script.Script` wrapper to invoke external certificate management scripts. These command executions are logged in plain text on script failures, timeouts (300 seconds), or process exceptions.\n\nAlthough CloudStack possesses a robust password masking feature (`script.addSensitive(String param)`) that redacts arguments as `\"******\"`, the `com.cloud.agent.Agent.java` component registers the administrative keystore password (`storedPassword`), the keystore passphrase (`ksPassphrase`), and the raw, unencrypted client SSL certificate private key (`privateKey`) via the insecure `script.add(String param)` method.\n\nConsequently, if the setup script fails or times out, the KVM host agent writes the complete, unsanitized command line containing these administrative passwords and the raw private SSL key in plain text directly to the agent's log file (e.g., `/var/log/cloudstack/agent/agent.log`). An unauthorized local user with read access to the KVM host logs can retrieve these credentials, completely compromising the SSL channel and the KVM compute node.\n\n### Summary\nAn unmasked command logging vulnerability in the Apache CloudStack KVM host agent allows administrative keystore passwords, passphrases, and raw unencrypted SSL private keys to be leaked in plain text to agent log files on script failure or execution timeout. This enables local users with access to host logs to completely compromise node-to-management communication integrity.\n\n### Details\nIn `com.cloud.agent.Agent.java`, KVM host cert and keystore setups are handled in the `setupAgentKeystore` and `setupAgentCertificate` methods. \n\nThe `Script` class logs all command lines at `WARN` or `DEBUG` level when the executed processes encounter exceptions, fail, or run over the 300,000ms timeout limit. To protect credentials, `Script` supports `addSensitive()` to flag and mask arguments:\n```java\n// utils/src/main/java/com/cloud/utils/script/Script.java\npublic void addSensitive(String param) {\n    _command.add(param);\n    sensitiveArgIndices.add(_command.size() - 1);\n}\n```\n\nHowever, `Agent.java` still registers cryptographic secrets using the standard `add()` call:\n\n#### Keystore Password Added via Insecure `add()` in `setupAgentKeystore`\n```java\n// agent/src/main/java/com/cloud/agent/Agent.java (Lines 875-881)\n        Script script = new Script(keystoreSetupSetupPath, 300000, logger);\n        script.add(agentFile.getAbsolutePath());\n        script.add(keyStoreFile);\n        script.add(storedPassword);                // ❌ Plaintext password added via regular add()\n        script.add(String.valueOf(validityDays));\n        script.add(csrFile);\n        String result = script.execute();\n```\n\n#### Passphrase \u0026 Private Key Added via Insecure `add()` in `setupAgentCertificate`\n```java\n// agent/src/main/java/com/cloud/agent/Agent.java (Lines 920-931)\n        Script script = new Script(keystoreCertImportScriptPath, 300000, logger);\n        script.add(agentFile.getAbsolutePath());\n        script.add(ksPassphrase);                  // ❌ Plaintext passphrase added via regular add()\n        script.add(keyStoreFile);\n        script.add(KeyStoreUtils.AGENT_MODE);\n        script.add(certFile);\n        script.add(\"\");\n        script.add(caCertFile);\n        script.add(\"\");\n        script.add(privateKeyFile);\n        script.add(privateKey);                    // ❌ Raw unencrypted private key added via regular add()\n        String result = script.execute();\n```\n\nWhen execution of the certificate setup or import processes fails or times out, the `Script` class formats the full command line with all plain parameters and logs it to `agent.log`.\n\n---\n\n### PoC\n\n#### Prerequisites\n- A running KVM compute host running the `cloud-agent`.\n- Local access to KVM host logs or administrative access to the CloudStack Management Server REST API.\n\n#### Reproduction Steps\n\n1. Configure the local database and management environment:\n   Download the Docker Compose configuration from: [docker-compose.yml](https://gist.github.com/YLChen-007/f177019b8faf5026082be2f7fa0e621a)\n   ```bash\n   docker compose up -d\n   ```\n\n2. Download the active integration test script:\n   [verification_test.py](https://gist.github.com/YLChen-007/a5e30e399953aa3452208d52a02cb0c5)\n   \n3. Execute the automated verification tool simulating a certificate provisioning command:\n   ```bash\n   python3 verification_test.py\n   ```\n   *(Note: The integration test validates the KVM agent configuration. If the management server is offline, it executes an academic verification proving the presence of plain `add()` calls in `Agent.java` for `storedPassword`, `ksPassphrase`, and `privateKey` in place of `addSensitive()`.)*\n\n4. Run the scientific control baseline script:\n   [control-masked_output.py](https://gist.github.com/YLChen-007/4bcdd4e45c8a6c3e545df8b1c7109b85)\n   ```bash\n   python3 control-masked_output.py\n   ```\n   *(Note: The control script demonstrates that when `addSensitive()` is properly utilized by developers—such as in `LibvirtUpdateHostPasswordCommandWrapper.java`—the password arguments are successfully redacted as `******` during logged command execution.)*\n\n---\n\n### Log of Evidence\n\n```\n=== VERIFICATION TEST ===\n[*] Running Issue-cloudstack-12005 Inadequate Password Masking in Script Execution Integration Test...\n[*] Attempting to dispatch provisionCertificate command...\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?...\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: com.cloud.agent.Agent is confirmed vulnerable to credential leak via Script execution.\n[*] Vulnerability Details:\n    In com.cloud.agent.Agent.java:\n    - Line 878: script.add(storedPassword); where storedPassword is the keystore password.\n    - Line 922: script.add(ksPassphrase); where ksPassphrase is the keystore passphrase.\n    - Line 930: script.add(privateKey); where privateKey is the raw private key of the SSL certificate.\n    - These parameters are added using the generic script.add() instead of script.addSensitive().\n    - On KVM host agent, if keystore setup or import scripts time out, fail, or encounter an exception,\n      the com.cloud.utils.script.Script class logs the complete unsanitized command line containing the private key and password in plaintext.\n[DEFECT CONFIRMED] Plaintext sensitive cryptographic keys and passwords leaked in KVM agent logs due to missing addSensitive usage.\n\n=== CONTROL TEST ===\n[*] Running Control Group Experiment - Verifying Password Masking Security Mechanism...\n[*] Attempting to dispatch updateHostPassword command (Control Baseline)...\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?...\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: The password-masking security mechanism (Script.addSensitive) is verified.\n[*] Scientific Control Group Analysis:\n    1. Under normal/correct implementation of the masking feature:\n       - com.cloud.hypervisor.kvm.resource.wrapper.LibvirtUpdateHostPasswordCommandWrapper.java correctly utilizes script.addSensitive(newPassword) at Line 41.\n       - com.cloud.utils.script.ScriptTest.java (Line 86) explicitly verifies that script.addSensitive(\"sensitive-arg\") masks values to \"******\".\n    2. When the masking is active, any script failure or log output shows '******' instead of the raw credentials.\n    3. Therefore, the password masking mechanism is fully functional and operates correctly when called.\n[CONTROL SUCCESS] Password masking is confirmed working as designed in the control baseline.\n```\n\n---\n\n### Impact\n- **Vulnerability Category**: CWE-532 (Insertion of Sensitive Information into Log File)\n- **Compromised Assets**: KVM Host SSL Certificates, Node Private Keys, administrative keystore passwords and passphrases.\n- **Consequences**: This exposure completely compromises the TLS communication channel between the KVM compute node (`cloud-agent`) and the Management Server. Using the raw SSL private key and keystore passwords, an attacker can launch Man-in-the-Middle (MITM) attacks, hijack or inject arbitrary management commands, read sensitive hypervisor communications, and fully compromise KVM compute resources.\n\n---\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-agent\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n---\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L875-L881](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L875-L881) | The vulnerable command script creation in `setupAgentKeystore` passing the `storedPassword` to the shell script using standard `script.add()` instead of `script.addSensitive()`. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L920-L931](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L920-L931) | The vulnerable command script creation in `setupAgentCertificate` passing the `ksPassphrase` and raw `privateKey` via standard `script.add()` instead of `script.addSensitive()`. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:37.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13305/cloudstack/issues/13305"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:d304aa90-5b08-e7c9-48df-f7892638c2c2
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id86EC:38F182:F22249:14B5389:6A4DD1D6
html-safe-noncef6434f0cc244b0d9449db98b5ac6ab998fc9046d9ce3f0cdd32d60eb007d03d9
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NkVDOjM4RjE4MjpGMjIyNDk6MTRCNTM4OTo2QTRERDFENiIsInZpc2l0b3JfaWQiOiI0ODcwOTg0NDE0MzI0OTY5OTQyIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0=
visitor-hmac3ffc5a6cf650d19a4849f16533f7666f5a106713a24371e4c8d1a94460686ae8
hovercard-subject-tagissue:4561094447
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13305/issue_layout
twitter:imagehttps://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13305
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13305
og:image:altAdvisory Details Title: Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logs Description: During KVM host certificate setup or renewal procedures in Apache C...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
None06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13305#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13305
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13305
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13305
Reloadhttps://github.com/apache/cloudstack/issues/13305
Reloadhttps://github.com/apache/cloudstack/issues/13305
Please reload this pagehttps://github.com/apache/cloudstack/issues/13305
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
Sensitive Keystore Credentials and SSL Private Key Plaintext Exposure in KVM Host Agent Logshttps://github.com/apache/cloudstack/issues/13305#top
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13305#issue-4561094447
docker-compose.ymlhttps://gist.github.com/YLChen-007/f177019b8faf5026082be2f7fa0e621a
verification_test.pyhttps://gist.github.com/YLChen-007/a5e30e399953aa3452208d52a02cb0c5
control-masked_output.pyhttps://gist.github.com/YLChen-007/4bcdd4e45c8a6c3e545df8b1c7109b85
cloudstack/agent/src/main/java/com/cloud/agent/Agent.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L875-L881
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
cloudstack/agent/src/main/java/com/cloud/agent/Agent.javahttps://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/agent/src/main/java/com/cloud/agent/Agent.java#L920-L931
348ce95https://github.com/apache/cloudstack/commit/348ce953a99246a756b527994f7745a7be038234
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.