René's URL Explorer Experiment


Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs · Issue #13306 · apache/cloudstack · GitHub

Open Graph Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs · Issue #13306 · apache/cloudstack

X Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs · Issue #13306 · apache/cloudstack

Description: Advisory Details Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs Description: Apache CloudStack's certificate management subsystem is vulnerable to plaintext credential exposure (CWE-532). When provisioning or updatin...

Open Graph Description: Advisory Details Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs Description: Apache CloudStack's certificate management subsystem is vulnerable to plaintext credential exposure...

X Description: Advisory Details Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs Description: Apache CloudStack's certificate management subsystem is vulnerable to plaintext credential expo...

Opengraph URL: https://github.com/apache/cloudstack/issues/13306

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs","articleBody":"### Advisory Details\n\n**Title**: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs\n\n**Description**:\nApache CloudStack's certificate management subsystem is vulnerable to plaintext credential exposure (CWE-532). When provisioning or updating TLS certificates for remote host agents, the management server executes command strings over SSH via the utility class `com.cloud.utils.ssh.SSHCmdHelper`. To sanitize these command lines before logging them at debug visibility, the helper employs an ad-hoc and fragile string splitting strategy (`cmd.split(KeyStoreUtils.KS_FILENAME)[0]`) using `cloud.jks` as the split token. Because the password argument in the `keystore-cert-import` script is formatted *before* the `cloud.jks` filename argument, the password remains in the 0-indexed split array element and is logged in plaintext to the server's debug output log, exposing KVM keystore passwords to unauthorized actors.\n\n### Summary\n\nAn unpatched credential leakage vulnerability in the remote SSH command execution helper utility allows any unprivileged user or system-level attacker with read access to the management server's log files to obtain plaintext host keystore administration credentials, compromising the secure communication channel between the management server and remote agent host nodes.\n\n### Details\n\nDuring agent certificate指配 (provisioning) operations, the method `CAManagerImpl.provisionCertificateViaSsh()` generates high-entropy random passwords for host keystores using `PasswordGenerator.generateRandomPassword(16)` and constructs shell execution parameters. \n\nIn `CAManagerImpl.java`, two utility commands are executed via SSH:\n1. **Keystore Setup:** `keystore-setup \u003cPROPERTIES\u003e cloud.jks \u003cPASSWORD\u003e \u003cVALIDITY\u003e \u003cCSR\u003e`\n2. **Keystore Import:** `keystore-cert-import \u003cPROPERTIES\u003e \u003cPASSWORD\u003e cloud.jks \u003cSSH_MODE\u003e ...`\n\nIn `SSHCmdHelper.java`, command strings are written to the management server logs at a debug level:\n\n```java\n// SSHCmdHelper.java\npublic static SSHCmdResult sshExecuteCmdOneShot(com.trilead.ssh2.Connection sshConnection, String cmd) throws SshException {\n    LOGGER.debug(\"Executing cmd: \" + cmd.split(KeyStoreUtils.KS_FILENAME)[0]);\n```\n\nHere, `KeyStoreUtils.KS_FILENAME` is `\"cloud.jks\"`.\n\nBecause the `keystorePassword` is formatted **before** `KeyStoreUtils.KS_FILENAME` (`cloud.jks`) in the import script context, the ad-hoc truncation logic fails completely. When `cmd.split(KeyStoreUtils.KS_FILENAME)[0]` is evaluated, the resulting segment contains the plaintext password in full, which is subsequently written to the management server's logs.\n\n### PoC\n\n#### Prerequisites\n- Python 3.x is installed in the testing environment.\n- CloudStack Management Server is running (or verified academically via simulated split tests).\n\n#### Reproduction Steps\n\n1. Download the docker-compose deployment file from: [docker-compose.yml](https://gist.github.com/YLChen-007/e15ace077e3a2a0e79da3d3692857d64)\n2. Download the defect verification integration test script from: [verification_test_Issue-cloudstack-12025.py](https://gist.github.com/YLChen-007/1dea89676d623b864d609496a02ea8aa)\n3. Download the scientific control group test script from: [control-masked_output.py](https://gist.github.com/YLChen-007/d2ea48bd17f34650c7a51eb9fab2c4ba)\n4. Execute the verification test to observe academic defect validation:\n   ```bash\n   python3 verification_test_Issue-cloudstack-12025.py\n   ```\n5. Execute the control group test to verify normal security truncation versus the bypass layout:\n   ```bash\n   python3 control-masked_output.py\n   ```\n\n### Log of Evidence\n\n```text\n[*] Running Issue-cloudstack-12025 Sensitive Credentials Exposure in SSHCmdHelper Integration Test...\n[*] Attempting to dispatch provisionCertificate command...\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hostid=00000000-0000-0000-0000-000000000000\u0026forced=true\u0026command=provisionCertificate\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=ezVtz4qJfkTm9IVe0igZ8bbsVKY%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: com.cloud.utils.ssh.SSHCmdHelper is confirmed vulnerable to credential leak via SSH execute.\n[*] Vulnerability Details:\n    In SSHCmdHelper.java:\n    - Line 167: LOGGER.debug(\"Executing cmd: \" + cmd.split(KeyStoreUtils.KS_FILENAME)[0]);\n    - Line 230: LOGGER.debug(\"SSH command: \" + cmd.split(KeyStoreUtils.KS_FILENAME)[0] + ...) ;\n    - The ad-hoc sanitization splits only by KeyStoreUtils.KS_FILENAME ('cloud.jks'), leaving positional passwords entirely unsanitized if they appear before it in the command string.\n    - For example, in CAManagerImpl.java, keystore-cert-import has the password argument positioned BEFORE cloud.jks:\n      sudo keystore-cert-import \u003cPROPERTIES\u003e \u003cPASSWORD\u003e cloud.jks \u003cSSH_MODE\u003e ...\n      This results in 'cmd.split(KeyStoreUtils.KS_FILENAME)[0]' containing '\u003cPASSWORD\u003e' in plaintext, which is directly logged to cloudstack management logs.\n[DEFECT CONFIRMED] Plaintext passwords leaked in SSHCmdHelper logs due to inadequate split-based sanitization.\n\n[*] Running Issue-cloudstack-12025 Sensitive Credentials Exposure - Control Test (Scientific Control Group)...\n\n--- [Control Group Observation] ---\nOriginal command: sudo /usr/share/cloudstack-common/scripts/util/keystore-setup /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/cloud.jks SUPER-SECRET-PASSWORD-12345 365 /etc/cloudstack/agent/cloud.csr\nLogged command:   sudo /usr/share/cloudstack-common/scripts/util/keystore-setup /etc/cloudstack/agent/agent.properties /etc/cloudstack/agent/\nPassword leaked?  No (Masked/Truncated)\n\n--- [Experiment Group Observation] ---\nOriginal command: sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-import /etc/cloudstack/agent/agent.properties SUPER-SECRET-PASSWORD-12345 /etc/cloudstack/agent/cloud.jks ssh /etc/cloudstack/agent/cloud.crt\nLogged command:   sudo /usr/share/cloudstack-common/scripts/util/keystore-cert-import /etc/cloudstack/agent/agent.properties SUPER-SECRET-PASSWORD-12345 /etc/cloudstack/agent/\nPassword leaked?  Yes\n\n--- [Comparison \u0026 Verification] ---\n[SUCCESS] Control group test confirms the security mechanism (split-based truncation) functions correctly\n          under normal conditions (keystore-setup where password is after cloud.jks).\n          The vulnerability is specifically triggered when the password is placed before cloud.jks\n          (keystore-cert-import), which completely bypasses the split-based truncation.\n```\n\n### Impact\n\n- **Vulnerability Category:** Information Exposure through Log Files (CWE-532).\n- **Scope of Exposure:** Active administratively generated keystore passwords.\n- **Affected System Assets:** Complete control plane security between the Management Server and remote hypervisor hosts. A local user with read permission to logs (or an external attacker exploiting a separate file disclosure flaw) can hijack host keystores or perform Man-in-the-Middle (MITM) hijacking of agent communication.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: Medium\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L166-L168](https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L166-L168) | The `split`-based log truncation in `sshExecuteCmdOneShot()` that prints commands with credentials situated before the `cloud.jks` delimiter. |\n| [utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L228-L232](https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L228-L232) | Plaintext credentials printed in the error session logging branch of `sshExecuteCmdOneShot()`. |\n| [server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L276-L295](https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L276-L295) | Formats remote `keystore-cert-import` commands placing the active `keystorePassword` positional parameter *before* the `KS_FILENAME` (`cloud.jks`) delimiter. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:12:51.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13306/cloudstack/issues/13306"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:94b76033-0851-6092-a6c5-d712a6eb98ad
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-id8374:7A367:32394A:49B71D:6A4E03E7
html-safe-noncef91abd4eeab867255d005205aa5e27783290138c9b4f0260050ec9fce7e1d3e5
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4Mzc0OjdBMzY3OjMyMzk0QTo0OUI3MUQ6NkE0RTAzRTciLCJ2aXNpdG9yX2lkIjoiMjIxNTM3NTAyOTkyNjYzNTI3IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0=
visitor-hmac425ed8b334f912c3cbe5c89e9f4ad722d8d1ec8bb647c355b484013564a36360
hovercard-subject-tagissue:4561095747
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13306/issue_layout
twitter:imagehttps://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13306
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/b8cf0f86ccd48df29d8c620e1ec27eaf4ce55b92bf43b58e6aa32019eb6c1d57/apache/cloudstack/issues/13306
og:image:altAdvisory Details Title: Sensitive Keystore Credentials Exposure in SSHCmdHelper Logs Description: Apache CloudStack's certificate management subsystem is vulnerable to plaintext credential exposure...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernameYLChen-007
hostnamegithub.com
expected-hostnamegithub.com
Nonedf0492960db29b4938cb72070351d6b1d0c6c0767b27ceb8394bbf4fcc0223c6
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release52bde38e24398476f8eb1e0760c81346c6a00812
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13306#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13306
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13306
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13306
Reloadhttps://github.com/apache/cloudstack/issues/13306
Reloadhttps://github.com/apache/cloudstack/issues/13306
Please reload this pagehttps://github.com/apache/cloudstack/issues/13306
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
Sensitive Keystore Credentials Exposure in SSHCmdHelper Logshttps://github.com/apache/cloudstack/issues/13306#top
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
https://github.com/YLChen-007
YLChen-007https://github.com/YLChen-007
on Jun 1, 2026https://github.com/apache/cloudstack/issues/13306#issue-4561095747
docker-compose.ymlhttps://gist.github.com/YLChen-007/e15ace077e3a2a0e79da3d3692857d64
verification_test_Issue-cloudstack-12025.pyhttps://gist.github.com/YLChen-007/1dea89676d623b864d609496a02ea8aa
control-masked_output.pyhttps://gist.github.com/YLChen-007/d2ea48bd17f34650c7a51eb9fab2c4ba
utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L166-L168https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L166-L168
utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L228-L232https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/utils/src/main/java/com/cloud/utils/ssh/SSHCmdHelper.java#L228-L232
server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L276-L295https://github.com/apache/cloudstack/blob/c0ce5b461f816bd6a6c1ceee8c1ee3104b3dbde7/server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java#L276-L295
component:logginghttps://github.com/apache/cloudstack/issues?q=state%3Aopen%20label%3A%22component%3Alogging%22
Taskhttps://github.com/apache/cloudstack/issues?q=type:"Task"
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.