Password Exposure in IPMI Tool Command Execution #12027
Description
Summary
A security vulnerability has been identified in the Apache CloudStack Out-of-Band Management IPMI tool driver where plaintext passwords are logged when trace-level logging is enabled. The password passed via cmd.getNewPassword() is included in the command arguments and subsequently exposed through debug logging.
Vulnerability Details
Component: org.apache.cloudstack.outofbandmanagement.driver.ipmitool.IpmitoolOutOfBandManagementDriver
Vulnerability Type: Sensitive Information Disclosure / Password Exposure in Logs
Severity: Medium to High (depending on logging configuration and log access controls)
Technical Description
In the execute(OutOfBandManagementDriverChangePasswordCommand cmd) method, the new password is passed directly to the IPMI tool command arguments:
final List<String> ipmiToolCommands = IPMITOOL.getIpmiToolCommandArgs(IpmiToolPath.value(),
IpmiToolInterface.value(), IpmiToolRetries.value(),
cmd.getOptions(), "user", "set", "password", outOfBandManagementUserId, cmd.getNewPassword());
return IPMITOOL.executeCommands(ipmiToolCommands, cmd.getTimeout())
//OutOfBandManagementDriverResponse org.apache.cloudstack.outofbandmanagement.driver.ipmitool.IpmitoolWrapper.executeCommands(List<String> commands, Duration timeOut)
public OutOfBandManagementDriverResponse executeCommands(final List<String> commands, final Duration timeOut) {
final ProcessResult result = RUNNER.executeCommands(commands, timeOut);
...
}These commands are finally passed to org.apache.cloudstack.utils.process.ProcessRunner.executeCommands(List<String> commands, Duration timeOut), which logs the complete command string without improper sanitization when debug logging is enabled:
String commandLog = removeCommandSensitiveInfoForLogging(StringUtils.join(commands, " "));
logger.debug("Preparing command [{}] to execute.", commandLog);
final Process process = new ProcessBuilder().command(commands).start();