Security Vulnerability Report: Sensitive User Data and SSH Public Key Exposure in VM Metadata Logging #12030
Description
Description
We have identified a security vulnerability where sensitive data (user-data and public-keys) is exposed through application logs during the execution of VmDataCommand.
Data Flow
1. Sensitive Data Injection
In com.cloud.network.router.CommandSetupHelper.generateVmDataCommand, sensitive information including user data and public keys is added to the VmDataCommand:
// com.cloud.network.router.CommandSetupHelper.generateVmDataCommand
private VmDataCommand generateVmDataCommand(final VirtualRouter router, final String vmPrivateIpAddress, final String userData, String userDataDetails, final String serviceOffering,
final String zoneName, final String publicIpAddress, final String vmName, final String vmInstanceName, final long vmId, final String vmUuid, final String publicKey,
final long guestNetworkId, String hostname) {
final VmDataCommand cmd = new VmDataCommand(vmPrivateIpAddress, vmName, _networkModel.getExecuteInSeqNtwkElmtCmd());
...
cmd.addVmData("userdata", "user-data", userData);
...
cmd.addVmData("metadata", "public-keys", publicKey);2. Script Construction with Sensitive Data
In com.cloud.baremetal.networkservice.BaremetalKickStartPxeResource.execute, the VM data containing sensitive information is retrieved and embedded into a shell script command:
//com.cloud.baremetal.networkservice.BaremetalKickStartPxeResource.execute
private Answer execute(VmDataCommand cmd) {
com.trilead.ssh2.Connection sshConnection = new com.trilead.ssh2.Connection(_ip, 22);
try {
List<String[]> vmData = cmd.getVmData();
StringBuilder sb = new StringBuilder();
for (String[] data : vmData) {
String folder = data[0];
String file = data[1];
String contents = (data[2] == null) ? "none" : data[2];
sb.append(cmd.getVmIpAddress());
sb.append(",");
sb.append(folder);
sb.append(",");
sb.append(file);
sb.append(",");
sb.append(contents); // Sensitive data included here
sb.append(";");
}
String arg = StringUtils.stripEnd(sb.toString(), ";");
String script = String.format("python /usr/bin/baremetal_user_data.py '%s'", arg);
if (!SSHCmdHelper.sshExecuteCmd(sshConnection, script)) {
return new Answer(cmd, false, "Failed to add user data, command:" + script);
}3. Sensitive Data Logged
Finally, in com.cloud.utils.ssh.SSHCmdHelper.sshExecuteCmdOneShot, the constructed script containing sensitive data is logged at DEBUG level:
// com.cloud.utils.ssh.SSHCmdHelper.sshExecuteCmdOneShot
public static SSHCmdResult sshExecuteCmdOneShot(com.trilead.ssh2.Connection sshConnection, String cmd) throws SshException {
LOGGER.debug("Executing cmd: " + cmd.split(KeyStoreUtils.KS_FILENAME)[0]); // ← Sensitive data logged here
Session sshSession = null;
try {
sshSession = sshConnection.openSession();
Thread.sleep(1000);
if (sshSession == null) {
throw new SshException("Cannot open ssh session");
}
// ... execution continues
}
...
if (!StringUtils.isAllEmpty(result.getStdOut(), result.getStdErr())) {
LOGGER.debug("SSH command: " + cmd.split(KeyStoreUtils.KS_FILENAME)[0] + "\nSSH command output:" + result.getStdOut().split("-----BEGIN")[0] + "\n" + result.getStdErr()); // ← Sensitive data logged here again
}
}Security Impact
This vulnerability results in sensitive information being written to application logs, including:
- User-data: May contain passwords, API keys, configuration secrets, or other confidential initialization data
- Public keys: SSH public keys that could be used for reconnaissance or social engineering attacks
When debug logging is enabled, this sensitive data becomes accessible to anyone with access to the log files, potentially including:
- System administrators
- Log aggregation systems
- Backup systems
- Attackers who gain unauthorized access to log storage
This constitutes a violation of security best practices and may lead to unauthorized access or information disclosure.