[Security] Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations

[YLChen-007]

Advisory Details

Title: Sensitive Credential Exposure via Parameter Map Serialization in Physical/Virtual Resource Configurations

Description:
Apache CloudStack is vulnerable to plaintext credential exposure when registering and configuring external network element providers (such as VMware NSX, Netris, or BigSwitch BCF) and hypervisors (such as Oracle OVM3). During configuration initialization (configure method), the resource managers check for the existence of mandatory properties (like port or url). If a required parameter is missing or connection fails, the resource managers throw a ConfigurationException that stringifies the entire unmasked configuration parameters map (params), which contains the cleartext administrator or agent password.
This exception is captured by the outer Management Server framework and is both directly returned to the calling client in the JSON HTTP REST API error response (errortext field) and logged as cleartext in system logs (management-server.log). In addition, Ovm3HypervisorResource prints the raw parameter map in debug mode, causing credentials to be persistently stored in the logging system.

---

Summary

An information exposure vulnerability in Apache CloudStack allows authenticated administrators or network operators to leak and obtain highly privileged plaintext credentials of underlying network elements (VMware NSX, Netris, BigSwitch) and hypervisor agents (OVM3). By submitting a resource configuration request that deliberately omits a required parameter, the platform's exception handling stringifies the entire configuration map, revealing the plaintext password in HTTP REST API error responses and system logs.

---

Details

In Apache CloudStack, administrators configure external infrastructure by invoking REST API commands like addNsxController, addHost, and addNetrisDevice. The framework passes these parameters in a unified params Map (Map<String, Object>) to the corresponding backend ServerResource component.
Four resource managers fail to properly mask or exclude the raw parameter map when raising exceptions or logging:

1. NsxResource.java (Lines 186–205)
   When checking mandatory parameters (e.g. port, username, password), if a check fails, the resource manager stringifies params in the exception message:

   port = (String) params.get("port");
   if (port == null) {
       throw new ConfigurationException("Missing NSX port from params: " + params);
   }

   Since params contains the cleartext "password" field, it is converted to string and returned in the Exception message.

2. NetrisResource.java (Lines 190–204)
   Similarly leaks cleartext credentials in Netris element configurations:

   endpointUrl = (String) params.get("url");
   if (endpointUrl == null) {
       throw new ConfigurationException("Missing Netris provider URL from params: " + params);
   }

3. BigSwitchBcfResource.java (Lines 106–124)
   Leaks credentials in BigSwitch BCF configuration error messages:

   String hostname = (String)params.get("hostname");
   if (hostname == null) {
       throw new ConfigurationException("Missing host name from params: " + params);
   }

4. Ovm3HypervisorResource.java (Line 308)
   Logs the complete parameter map including unmasked OVS agent passwords in debug logging:

   @Override
   public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
       logger.debug("configure " + name + " with params: " + params);

---

PoC

Prerequisites

• Python 3.x with the requests library installed.
• CloudStack Management Server administrative API access (or a simulated test environment).

Reproduction Steps

To reproduce the credential leakage safely and reliably without a full multi-gigabyte Apache CloudStack cluster setup, we use the local mock verification script which simulates the backend resource validation logic:

1. Download the isolated environment setup from: docker-compose.yml
2. Download the Vulnerability Verification PoC script from: verification_test_Issue-cloudstack-11985-ResourceParams.py
3. Download the Control Group Verification script from: control-masked_exception.py
4. Execute the verification test to demonstrate the plaintext password leakage:

   python3 verification_test_Issue-cloudstack-11985-ResourceParams.py

5. Execute the control test to confirm that a secured backend correctly masks or omits the parameter map:

   python3 control-masked_exception.py

---

Log of Evidence

Upon executing the verification test (verification_test_Issue-cloudstack-11985-ResourceParams.py), the following runtime console output confirms the defect by capturing the cleartext password HighlySensitiveResourcePassword123! directly in the error response payload:

[*] Starting Local Vulnerability Mock Server...
[*] Running Issue-cloudstack-11985 ResourceParams Credential Leakage Integration Test...
[*] Dispatching addNsxController command with sensitive password: HighlySensitiveResourcePassword123!
[*] Response Status Code: 530
[*] Response Payload: {'addnsxcontrollerresponse': {'errorcode': 530, 'errortext': "com.cloud.utils.exception.CloudRuntimeException: javax.naming.ConfigurationException: Missing NSX port from params: {'name': 'mock-nsx-provider', 'hostname': '192.168.1.100', 'username': 'admin', 'password': 'HighlySensitiveResourcePassword123!', 'tier0gateway': 'T0-GW', 'edgecluster': 'Edge-Cluster', 'transportzone': 'TZ-Overlay', 'zoneid': '00000000-0000-0000-0000-000000000000', 'command': 'addNsxController', 'apiKey': 'ADMIN_API_KEY_PLACEHOLDER', 'response': 'json', 'signature': 'ud2x93R63p7cIk/kdPJt1+3lyv8='}"}}
[DEFECT CONFIRMED] Plaintext password leaked in the API error response!

---

Impact

• Vulnerability Type: Information Exposure / Plaintext Credential Leakage (CWE-209 / CWE-532)
• Assets Compromised: High-privilege control-plane infrastructure credentials (including VMware NSX, Netris switches, BigSwitch BCF, and OVM3 hypervisors).
• Consequences: An attacker or operator with device configuration permissions can retrieve the raw plaintext credentials of core SD-WAN controllers and network switches, enabling them to alter overlay network topologies, capture data plane traffic, or bypass boundary controls. In the case of OVM3, leaking agent credentials yields root SSH access on physical hypervisors. Furthermore, the persistent log logging violates standard PCI-DSS and security audit compliance controls.

---

Affected products

• Ecosystem: maven
• Package name: org.apache.cloudstack:cloudstack
• Affected versions: <= 4.22.1.0
• Patched versions:

---

Severity

• Severity: High
• Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

---

Weaknesses

• CWE-209: Generation of Error Message Containing Sensitive Information
• CWE-532: Insertion of Sensitive Information into Log File

---

Occurrences

Permalink	Description
cloudstack/plugins/network-elements/nsx/src/main/java/org/apache/cloudstack/resource/NsxResource.java Lines 186 to 205 in 348ce95 public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { hostname = (String) params.get("hostname"); if (hostname == null) { throw new ConfigurationException("Missing NSX hostname from params: " + params); } port = (String) params.get("port"); if (port == null) { throw new ConfigurationException("Missing NSX port from params: " + params); } username = (String) params.get("username"); if (username == null) { throw new ConfigurationException("Missing NSX username from params: " + params); } password = (String) params.get("password"); if (password == null) { throw new ConfigurationException("Missing NSX password from params: " + params); }	Vulnerable parameter map stringification inside NsxResource configuration validation exceptions.
cloudstack/plugins/network-elements/netris/src/main/java/org/apache/cloudstack/resource/NetrisResource.java Lines 190 to 204 in 348ce95 public boolean configure(String name, Map<String, Object> params) throws ConfigurationException { endpointUrl = (String) params.get("url"); if (endpointUrl == null) { throw new ConfigurationException("Missing Netris provider URL from params: " + params); } username = (String) params.get("username"); if (username == null) { throw new ConfigurationException("Missing Netris username from params: " + params); } password = (String) params.get("password"); if (password == null) { throw new ConfigurationException("Missing Netris password from params: " + params); }	Vulnerable parameter map stringification inside NetrisResource configuration validation exceptions.
cloudstack/plugins/network-elements/bigswitch/src/main/java/com/cloud/network/resource/BigSwitchBcfResource.java Lines 106 to 124 in 348ce95 String hostname = (String)params.get("hostname"); if (hostname == null) { throw new ConfigurationException("Missing host name from params: " + params); } String username = (String) params.get("username"); if (username == null) { throw new ConfigurationException("Missing user name from params: " + params); } String password = (String) params.get("password"); if (password == null) { throw new ConfigurationException("Missing password from params: " + params); } Boolean nat = Boolean.parseBoolean((String) params.get("nat")); if (nat == null) { throw new ConfigurationException("Missing password from params: " + params); }	Vulnerable parameter map stringification inside BigSwitchBcfResource configuration validation exceptions.
cloudstack/plugins/hypervisors/ovm3/src/main/java/com/cloud/hypervisor/ovm3/resources/Ovm3HypervisorResource.java Line 308 in 348ce95 logger.debug("configure " + name + " with params: " + params);	Plaintext logging of the parameters map containing passwords inside Ovm3HypervisorResource configuration debug statements.