Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack · GitHub
Open Graph Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack
X Title: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs · Issue #13309 · apache/cloudstack
Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility class com.cloud.utils.script.Script to execu...
Open Graph Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas...
X Description: Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas...
Opengraph URL: https://github.com/apache/cloudstack/issues/13309
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs","articleBody":"### Advisory Details\n\n**Title**: Vulnerability in `Script.java` Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs\n\n**Description**:\n\nApache CloudStack uses the core utility class `com.cloud.utils.script.Script` to execute external system processes (such as `qemu-img` conversion, block device mapping, and shell operations). To prevent sensitive access keys or passwords from appearing in console and file logging, `Script.java` implements a custom command line builder (`buildCommandLine`) that obscures arguments using a helper method `sanitizeRbdFileFormatCmdParameter`.\n\nHowever, the current implementation of `sanitizeRbdFileFormatCmdParameter` contains several logic vulnerabilities that allow attackers/users to bypass masking entirely under three common operational scenarios:\n1. **URI-based Ceph Credentials:** Storage network URI patterns (e.g. `rbd://username:password@host/pool`) do not contain the substring `\"key=\"` and use a scheme starting with `\"rbd://\"` rather than `\"rbd:\"`. This skips the sanitization conditions entirely.\n2. **Bash Execution Wrappers:** If commands are executed via standard shell wrappers (e.g. `[\"/bin/bash\", \"-c\", \"qemu-img convert ... rbd:pool/image:key=secret\"]`), the evaluated argument string begins with the shell prefix rather than `\"rbd:\"`. This triggers the prefix constraint `!cmd.startsWith(\"rbd:\")` and leaves the plaintext key unmasked.\n3. **Multiple key= Occurrences:** The method splits arguments using `cmd.split(\"key=\")` and exits immediately if `tokens.length != 2`. If a Base64-encoded Ceph key contains the substring `key=` or other properties introduce multiple `key=` elements, the length constraint is violated, and the raw plaintext key is logged to disk.\n\n### Summary\n\nAn information leakage vulnerability in Apache CloudStack's central process execution logging utility (`com.cloud.utils.script.Script`) allows plaintext storage pool credentials (usernames and passwords/keys) to be logged in the clear when Ceph RBD connection options, network URIs, or multiple key options are executed as shell commands.\n\n### Details\n\nThe vulnerability lies in the implementation of the private `sanitizeRbdFileFormatCmdParameter` method in `utils/src/main/java/com/cloud/utils/script/Script.java`:\n\n```java\n private boolean sanitizeRbdFileFormatCmdParameter(String cmd, StringBuilder builder) {\n if (StringUtils.isEmpty(cmd) || !cmd.startsWith(\"rbd:\") || !cmd.contains(\"key=\")) {\n return false;\n }\n\n String[] tokens = cmd.split(\"key=\");\n if (tokens.length != 2) {\n return false;\n }\n ...\n```\n\n- **Prefix Bypass:** If `cmd` is a standard RBD network URI (`rbd://user:pass@host/pool`), it does not contain the substring `\"key=\"` and is processed as a standard unsanitized parameter, outputting the embedded credentials in plaintext.\n- **Shell Wrapper Bypass:** When running commands via helper utilities (like `/bin/bash -c \"...\"`), the entire shell string is treated as a single argument. Because this parameter starts with `/bin/bash` or `qemu-img` instead of `\"rbd:\"`, the startsWith check fails, outputting the plaintext password to the log.\n- **Split Count Bypass:** If a Base64-encoded Ceph key or other parameters within the command string introduce multiple `key=` substrings, `tokens.length` exceeds `2`, skipping the sanitization process entirely and printing the plaintext key.\n\n### PoC\n\n#### Prerequisites\n\n- Java Development Kit (JDK 11 or higher).\n- Maven 3.x for executing JUnit test validations.\n- Python 3.x for running integration simulation scripts.\n\n#### Reproduction Steps\n\n1. Download the automated logical verification script from: [verification_test.py](https://gist.github.com/YLChen-007/4d8ecc1d6041177bac3d12da5a30becd)\n2. Download the scientific control group script from: [control-normal_sanitization.py](https://gist.github.com/YLChen-007/756c21564a106bc60c27e521f1b7674f)\n3. Execute the automated logical verification script:\n ```bash\n python3 verification_test.py\n ```\n4. Execute the scientific control group script to confirm normal sanitization remains functional:\n ```bash\n python3 control-normal_sanitization.py\n ```\n5. Alternatively, run the built-in repository unit tests which demonstrate the exact unpatched variant behavior:\n ```bash\n mvn test -pl utils -Dtest=ScriptTest\n ```\n\n### Log of Evidence\n\n```\n=========================================================================\n[*] Running RbdLogLeak Defect Variant Verification\n=========================================================================\n[*] Stage 1: Attempting to connect to running CloudStack Management Server...\n[!] CloudStack Management Server is offline (Expected in isolated environment).\n[*] Switching to Academic/Logical Code-Path Verification...\n\n--- Flow 1: RBD URI with Credentials ---\nOriginal constructed command:\n qemu-img convert rbd://cloudstack:AQD-hJxklW1RGRAAA56oHGN6d-WPDLss2b05Cw==@ceph-mon:6789/pool/volume\nLogged command from Script.java:\n qemu-img convert rbd://cloudstack:AQD-hJxklW1RGRAAA56oHGN6d-WPDLss2b05Cw==@ceph-mon:6789/pool/volume\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 1 log output!\n\n--- Flow 2: RBD connection options in Bash Script Execution ---\nOriginal constructed command:\n /bin/bash -c qemu-img convert -O qcow2 rbd:pool/image:key=supersecretpass999:auth_supported=cephx /tmp/output.qcow2\nLogged command from Script.java:\n /bin/bash -c qemu-img convert -O qcow2 rbd:pool/image:key=supersecretpass999:auth_supported=cephx /tmp/output.qcow2\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 2 log output!\n\n--- Flow 3: RBD key= option with multiple occurrences ---\nOriginal constructed command:\n qemu-img convert rbd:pool/image:key=secret1:some_option=key=secret2\nLogged command from Script.java:\n qemu-img convert rbd:pool/image:key=secret1:some_option=key=secret2\n🔴 [DEFECT-CONFIRMED] Plaintext Ceph secret is fully exposed in Flow 3 log output!\n\n=========================================================================\nRESULT: DEFECT-CONFIRMED (TRUE POSITIVE)\n=========================================================================\n\n=========================================================================\n[*] Running RbdLogLeak Defect Control Test (Scientific Control Group)\n=========================================================================\n\n--- Control Group: Normal Ceph RBD parameter string ---\nOriginal constructed command:\n rbd:pool/image:key=my-ceph-secret-key:auth_supported=cephx\nLogged command from Script.java:\n rbd:pool/image:key=******:auth_supported=cephx\n🟢 [CONTROL-PASSED] Plaintext Ceph secret was successfully masked to 'key=******'.\n=========================================================================\nRESULT: CONTROL-PASSED\n=========================================================================\n```\n\n### Impact\n\n- **Vulnerability Category:** Exposure of Sensitive Information to an Unauthorized Actor via Log Files.\n- **Assets Compromised:** Central primary storage / Ceph RBD storage clusters.\n- **Exploitation Impact:** Leaking master Ceph storage credentials into the application log allows anyone with log file access (such as system administrators, SOC analysts, log aggregator databases) to obtain full administrative control over the entire Ceph cluster. An attacker can read, modify, or delete virtual machine templates, primary disk files, system volumes, snapshots, and customer raw databases.\n\n### Affected products\n\n- **Ecosystem**: maven\n- **Package name**: org.apache.cloudstack:cloud-utils\n- **Affected versions**: `\u003c= 4.22.1.0`\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n### Weaknesses\n\n- **CWE**: CWE-532: Insertion of Sensitive Information into Log File\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L202-L221](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L202-L221) | The vulnerable helper `sanitizeRbdFileFormatCmdParameter` containing fragile startsWith prefix and token split constraints that ignore different URI schemes and shell wrapper sub-commands. |\n| [https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L166-L186](https://github.com/apache/cloudstack/blob/348ce953a99246a756b527994f7745a7be038234/utils/src/main/java/com/cloud/utils/script/Script.java#L166-L186) | The `buildCommandLine` execution parameters builder that calls `sanitizeRbdFileFormatCmdParameter` without robust token extraction or regex-based masking of secrets. |","author":{"url":"https://github.com/YLChen-007","@type":"Person","name":"YLChen-007"},"datePublished":"2026-06-01T07:13:33.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13309/cloudstack/issues/13309"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:b6eb43b7-9230-f4ae-8071-828e154b9549 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 875A:323A96:178D4D2:224674E:6A4E4E46 |
| html-safe-nonce | e045fafbdbbdb1cf1ca5708e025f75ca5329a3f59d42ce53315409e98912e3b4 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4NzVBOjMyM0E5NjoxNzhENEQyOjIyNDY3NEU6NkE0RTRFNDYiLCJ2aXNpdG9yX2lkIjoiMzkwODE2NjIxOTU5Nzc2MjExOCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 3afad4a3c9e62535ee7911836682382b913c2a5d671c44dedb4019bfe655f283 |
| hovercard-subject-tag | issue:4561099498 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13309/issue_layout |
| twitter:image | https://opengraph.githubassets.com/db2ab75b5dbefbc07ea9fe34cf01cc842f4442004e4fb2548b13dc1b4787cf06/apache/cloudstack/issues/13309 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/db2ab75b5dbefbc07ea9fe34cf01cc842f4442004e4fb2548b13dc1b4787cf06/apache/cloudstack/issues/13309 |
| og:image:alt | Advisory Details Title: Vulnerability in Script.java Command Sanitization Allows Exposure of Plaintext Ceph RBD Storage Credentials in Logs Description: Apache CloudStack uses the core utility clas... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | YLChen-007 |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | e8506f6d0538364886e3f0153c154c410965e70d |
| ui-target | canary-2 |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width