Skip to content

S3 credentials leak in log files #10339

@namsral

Description

@namsral

S3 credentials used to create a Secondary Storage instance are leaked to the following files:

  • /var/log/cloudstack/management/access.log
  • /var/log/cloudstack/management/management-server.log

Although the debug mode is enabled, I don't recommend logging secrets like S3 credentials.

Example entry containing the S3 credentials (sensitive information is redacted):

2025-02-06 15:50:37,093 DEBUG [o.a.c.s.r.NfsSecondaryStorageResource] (pool-15-thread-1:[ctx-5601ecaa]) (logid:e97c1c85) Executing command "DownloadCommand" [
  {
    "hvm": false,
    "description": "SystemVM Template (KVM)",
    "checksum": "6bb8edf3c062ed5625a3a8f17b3eedc9",
    "maxDownloadSizeInBytes": 53687091200,
    "id": 3,
    "resourceType": "TEMPLATE",
    "installPath": "template/tmpl/1/3/routing-3",
    "_store": {
      "id": 2,
      "uuid": "0f1bd354-0dc3-4e65-a370-6b02acec0735",
      "accessKey": "<redacted>",
      "secretKey": "<redacted>",
      "endPoint": "http://<redaced>",
      "bucketName": "cloudstack",
      "httpsFlag": false,
      "created": "Feb 6, 2025, 3:50:27 PM",
      "enableRRS": false,
      "maxSingleUploadSizeInBytes": 5368709120
    },
    "followRedirects": false,
    "url": "https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.0-x86_64-kvm.qcow2.bz2",
    "format": "QCOW2",
    "accountId": 1,
    "name": "routing-3",
    "contextMap": {},
    "wait": 0,
    "bypassHostMaintenance": false
  }
]

versions

CloudStack: 4.20.0.0
Hypervisor: KVM
Secondary Storage: Ceph RGW S3
Distro: Ubuntu 22.04 LTS

The steps to reproduce the bug

  1. Deploy CloudStack Management server version 4.20.0.0
  2. Create a Secondary Storage using S3 credentials (accessKey and secretKey)
  3. Grep the log file directory for the secret key: grep <secretKey> -R /var/log/cloudstack/management/{access,management-server}.log

What to do about it?

Redact at least the secretKey from the log entry.

Activity

boring-cyborg

boring-cyborg commented on Feb 6, 2025

@boring-cyborg

Thanks for opening your first issue here! Be sure to follow the issue template!

added this to the 4.20.1 milestone on Feb 13, 2025
jerome079

jerome079 commented on Apr 4, 2025

@jerome079

Hi, @bradywilkin and I are students at the University of Texas at Austin. As part of our virtualization class, we would like to contribute to Apache Cloudstack and resolve this issue.

DaanHoogland

DaanHoogland commented on Apr 7, 2025

@DaanHoogland
Contributor

@jerome079 @bradywilkin, You are very welcome. Please add a PR towards the 4.20 branch and ping the author (and others) for testing and reviews.

linked a pull request that will close this issue on May 4, 2025
modified the milestones: 4.20.1, 4.20.2 on Jun 3, 2025
moved this from Todo to ready for Testing in Apache CloudStack BugFest - Issueson Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Type

No type

Projects

Status

ready for Testing

Relationships

None yet

    Development

    Participants

    @namsral@DaanHoogland@Pearl1594@jerome079

    Issue actions

      S3 credentials leak in log files · Issue #10339 · apache/cloudstack