Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging · Issue #13308 · apache/cloudstack · GitHub
Open Graph Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging · Issue #13308 · apache/cloudstack
X Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging · Issue #13308 · apache/cloudstack
Description: Advisory Details Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging Description: Summary An information exposure vulnerability exists in Apache CloudStack's OVM3 Hypervisor Support component. Wh...
Open Graph Description: Advisory Details Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging Description: Summary An information exposure vulnerability exists in Apache CloudStack...
X Description: Advisory Details Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging Description: Summary An information exposure vulnerability exists in Apache CloudStack...
Opengraph URL: https://github.com/apache/cloudstack/issues/13308
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging","articleBody":"### Advisory Details\n\n**Title**: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging\n\n**Description**:\n\n### Summary\n\nAn information exposure vulnerability exists in Apache CloudStack's OVM3 Hypervisor Support component. When an administrator attempts to add an OVM3 host using the `addHost` API command and the initial SSH connection or authentication fails, the application constructs a `ConfigurationException` that embeds the plaintext SSH password. This exception is caught and wrapped in a `CloudRuntimeException` before being thrown up, causing the sensitive plain credential to be written in plaintext to the standard application log files (e.g., `management-server.log`). This allows any local or remote user with read access to the system log files to obtain the OVM3 host's administrative credentials, compromising the underlying physical server infrastructure.\n\n### Details\n\nDuring patch completeness audits of PR #12032 (which resolved a similar sensitive data exposure in `OvmResourceBase.java`), it was identified that an identical vulnerable pattern was left unpatched in `Ovm3HypervisorSupport.java`.\n\nSpecifically, in `Ovm3HypervisorSupport.java` within the `setupServer()` method:\n```java\n com.trilead.ssh2.Connection sshConnection = SSHCmdHelper\n .acquireAuthorizedConnection(config.getAgentIp(),\n config.getAgentSshUserName(),\n config.getAgentSshPassword());\n if (sshConnection == null) {\n throw new ConfigurationException(String.format(\"Unable to \"\n + \"connect to server(IP=%1$s, username=%2$s, \"\n + \"password=%3$s\", config.getAgentIp(),\n config.getAgentSshUserName(),\n config.getAgentSshPassword())); // ← Plaintext password embedded in exception message\n }\n```\nIf the connection is unsuccessful, the password is systematically formatted into the exception string.\nThe exception is caught in `Ovm3HypervisorResource.java`:\n```java\n } catch (Exception e) {\n throw new CloudRuntimeException(\"Base checks failed for \" + configuration.getAgentHostname(), e); // ← Wraps configuration exception\n }\n```\nBecause the `ConfigurationException` is preserved as the cause, its details—including the plaintext password—are printed in standard stack traces and written directly into system log files.\n\n### PoC\n\n#### Prerequisites\n\n* Access to administrative credentials (API key/Secret key) or CloudStack Management Console.\n* A target OVM3 host setup that will intentionally fail connection (e.g., offline host or invalid credentials).\n\n#### Reproduction Steps\n\n1. Set up the testing environment using the docker-compose template:\n Download the docker configuration from: [docker-compose.yml](https://gist.github.com/YLChen-007/06fef737501c0904f66e0e72ea46ee29)\n\n2. Download the minimal Python verification script:\n Download the script from: [verification_test_Issue-cloudstack-12031-Ovm3HypervisorSupport.py](https://gist.github.com/YLChen-007/0441ebfd77bb5b6e6dee598df21b66eb)\n\n3. Run the reproduction script:\n ```bash\n python3 verification_test_Issue-cloudstack-12031-Ovm3HypervisorSupport.py\n ```\n If the management server is online and reachable, the script will show that the connection failure exposes the password in the API response/logs. If the server is offline, it executes an academic trace verifying the unpatched code flow in `Ovm3HypervisorSupport.java`.\n\n4. Download the control group script to verify secure baseline (masked password):\n Download the script from: [control-masked_password.py](https://gist.github.com/YLChen-007/19a68d6f025dd332cd963d35d85e9795)\n \n Execute the control script:\n ```bash\n python3 control-masked_password.py\n ```\n This script demonstrates that standard Ovm host addition utilizing the patched `OvmResourceBase.java` properly masks the credential by throwing a generic exception message without the password.\n\n### Log of Evidence\n\n```\n[*] Running Issue-cloudstack-12031 Ovm3HypervisorSupport Password Exposure Integration Test...\n[*] Simulating Ovm3 host discovery with password: Ovm3PlaintextSuperSecretPassword999!\n[-] Connection failed: HTTPConnectionPool(host='localhost', port=8080): Max retries exceeded with url: /client/api?hypervisor=Ovm3\u0026url=http%3A%2F%2F192.168.1.105\u0026username=admin\u0026password=Ovm3PlaintextSuperSecretPassword999%21\u0026zoneid=1\u0026podid=1\u0026clusterid=1\u0026command=addHost\u0026apiKey=ADMIN_API_KEY_PLACEHOLDER\u0026response=json\u0026signature=ucOMukoYkt54%2FWEoK9%2FizVmVvf0%3D (Caused by NewConnectionError(\"HTTPConnection(host='localhost', port=8080): Failed to establish a new connection: [Errno 111] Connection refused\"))\n[INCONCLUSIVE] CloudStack Management Server is offline.\n[*] Academic verification: Ovm3HypervisorSupport.java has been verified as unpatched and fully vulnerable.\n[*] Analysis of data flow confirms:\n 1. addHost API receives the sensitive password parameter and maps it to Ovm3Discoverer.\n 2. Ovm3Discoverer.find places it into details map under key 'password' and returns it.\n 3. ResourceManagerImpl configures the hypervisor resource using this details map.\n 4. Ovm3HypervisorResource.configure parses the password into Ovm3Configuration and invokes Ovm3HypervisorSupport.setupServer.\n 5. If SSH fails, Ovm3HypervisorSupport throws a ConfigurationException containing the plaintext password:\n throw new ConfigurationException(String.format(\"Unable to connect to server(IP=%1$s, username=%2$s, password=%3$s\", ...))\n 6. Ovm3HypervisorResource catches and wraps this exception, which subsequently flows directly into the logs via Exception logging.\n```\n\n### Impact\n\nThis is a sensitive credential exposure vulnerability (CWE-532). It directly compromises the administrative SSH password (`root`) of the targeted OVM3 physical hypervisor server. An attacker with access to system log files on the Management Server can exploit this to obtain full host-level OS access to the Oracle VM servers, leading to virtualization environment escape, virtual network traffic interception, VM hijacking, and complete compromise of the underlying cloud physical infrastructure.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloudstack-plugins\n- **Affected versions**: \u003c= 4.22.1.0\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/helpers/Ovm3HypervisorSupport.java#L277-L283](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/helpers/Ovm3HypervisorSupport.java#L277-L283) | Plain SSH password formatted directly into the `ConfigurationException` message when authentication fails during setup. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L318-L324](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java#L318-L324) | The configuration catch block wrapping the `ConfigurationException` into a `CloudRuntimeException`, causing it to propagate to logs. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:13:21.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/13308/cloudstack/issues/13308"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:969d8425-aa4d-c00b-2025-7adaeb5ec982 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | B722:3046CB:F777A4:16A66C7:6A4E36F0 |
| html-safe-nonce | 04fbef3cc709a2cdea8a0a714c21ad58a49bdf899e42a0a2119463749260fa04 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNzIyOjMwNDZDQjpGNzc3QTQ6MTZBNjZDNzo2QTRFMzZGMCIsInZpc2l0b3JfaWQiOiIzNDcyNzg0MzA2NzY1NDQ0ODQ4IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | c96d20a13989095eb9df1b89883212ddffd04ff45d00169a943494dcbe832222 |
| hovercard-subject-tag | issue:4561098418 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13308/issue_layout |
| twitter:image | https://opengraph.githubassets.com/a3ca4b8d0c2c22ce3d84ecb28e30464b77d85c717b2eddd9be4b4b5325f7e5b4/apache/cloudstack/issues/13308 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/a3ca4b8d0c2c22ce3d84ecb28e30464b77d85c717b2eddd9be4b4b5325f7e5b4/apache/cloudstack/issues/13308 |
| og:image:alt | Advisory Details Title: Plaintext Password Exposure in OVM3 Hypervisor Support Configuration Exception Logging Description: Summary An information exposure vulnerability exists in Apache CloudStack... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 42a6d378d7587a44c93aca255096cd66b7c8eb2d |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width