cloudstack icon indicating copy to clipboard operation
cloudstack copied to clipboard
verified publisher icon apache

Password in plaintext in management and access logs

Open CodeBleu opened this issue 1 year ago • 8 comments

ISSUE TYPE
  • Bug Report
COMPONENT NAME
Logs
CLOUDSTACK VERSION
4.19.1.0, 4.18.1.0
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

Password and sensitive information are shown in plaintext in the management and access logs on the management server.

STEPS TO REPRODUCE
Looking in log files.
EXPECTED RESULTS
No sensitive passwords or secrets in logs
ACTUAL RESULTS
/var/log/cloudstack/management/access.log:1077542308:10.30.0.61 - - [09/Aug/2024:16:42:01 +0000] "GET /client/api?account=joe-again-1286&apiKey=<apikey>&command=addVpnUser&domainid=c91a0528-377b-48aa-9c7b-2c7ead68200d&password=TOPSECRETPASSWORD&response=json&username=seantest2&signature=Ek%2BC7EGsrmNi0ONFL%2BxJBJxSGe0%3D HTTP/1.1" 200 115 "-" "GuzzleHttp/7" 86

/var/log/cloudstack/management/management-server.log:122775505:{u'vpn_users': [{u'add': True, u'password': u'TOPSECRETPASSWORD', u'user': u'seantest2'}], u'type': u'vpnuserlist', u'delete_from_processed_cache': False}

CodeBleu avatar Aug 09 '24 17:08 CodeBleu

Thanks for opening your first issue here! Be sure to follow the issue template!

boring-cyborg[bot] avatar Aug 09 '24 17:08 boring-cyborg[bot]

It is best to send credentials in a POST.

rajujith avatar Aug 12 '24 04:08 rajujith

@rohityadavcloud Is there anyway this can be bumped up to a release sooner than 4.20.0.0? Being that this is a Security and Auditing issue, It would be nice to have this resolved sooner than later.

CodeBleu avatar Aug 14 '24 15:08 CodeBleu

the first issue with access.log has been discussed before users can redirect the file access.log to /dev/null as suggested by @DaanHoogland

the second issue (vpn user password are displayed in management-server.log) seems to only impact vpn user. I was able to reproduce the issue. it may not deserve a security release. I will have a look

cc @rohityadavcloud @DaanHoogland @sureshanaparti

weizhouapache avatar Aug 22 '24 09:08 weizhouapache

the first issue with access.log has been discussed before users can redirect the file access.log to /dev/null as suggested by @DaanHoogland

the second issue (vpn user password are displayed in management-server.log) seems to only impact vpn user. I was able to reproduce the issue. it may not deserve a security release. I will have a look

cc @rohityadavcloud @DaanHoogland @sureshanaparti

@DaanHoogland do you have the link to what @weizhouapache is talking about for the access.log to /dev/null?

Depending on what that says, I'm not sure if that is an acceptable solution for me, because I want to see the access.log, but I don't want to see the passwords in it.

CodeBleu avatar Aug 22 '24 23:08 CodeBleu

Depending on what that says, I'm not sure if that is an acceptable solution for me, because I want to see the access.log, but I don't want to see the passwords in it.

in that case it is not acceptable for you and you'll need to sanitise the access log somehow.

DaanHoogland avatar Aug 23 '24 08:08 DaanHoogland

Depending on what that says, I'm not sure if that is an acceptable solution for me, because I want to see the access.log, but I don't want to see the passwords in it.

in that case it is not acceptable for you and you'll need to sanitise the access log somehow.

But It makes more sense ( from a security perspective ) to not have the passwords/secrets hit the log in the first place. Sanitizing it after the fact is kinda pointless.

@rohityadavcloud @weizhouapache Can you please look into removing or obfuscating password information that is making it to access.log or any log for that matter from the actual code and not a retro solution or access.log > /dev/null ?

CodeBleu avatar Aug 24 '24 13:08 CodeBleu

Depending on what that says, I'm not sure if that is an acceptable solution for me, because I want to see the access.log, but I don't want to see the passwords in it.

in that case it is not acceptable for you and you'll need to sanitise the access log somehow.

But It makes more sense ( from a security perspective ) to not have the passwords/secrets hit the log in the first place. Sanitizing it after the fact is kinda pointless.

@rohityadavcloud @weizhouapache Can you please look into removing or obfuscating password information that is making it to access.log or any log for that matter from the actual code and not a retro solution or access.log > /dev/null ?

it looks like all credentials in access.log are plain text. ACS uses NCSARequestLog class to log request logs. I am not sure if it is possible to hide some information If not , then need to look for another solution.

at this moment, I think you have to make a decision @CodeBleu since the API calls are also saved in apilog.log and management-server.log, maybe you can just redirect access.log to /dev/null

weizhouapache avatar Aug 26 '24 07:08 weizhouapache

Fixed by https://github.com/apache/cloudstack/pull/9568 - pl review and reopen if necessary or something got missed.

rohityadavcloud avatar Sep 04 '24 06:09 rohityadavcloud