Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 credentials leak in log files #10339

Open
namsral opened this issue Feb 6, 2025 · 1 comment
Open

S3 credentials leak in log files #10339

namsral opened this issue Feb 6, 2025 · 1 comment
Milestone
4.20.1

Comments

@namsral
Copy link

namsral commented Feb 6, 2025
edited
Loading

S3 credentials used to create a Secondary Storage instance are leaked to the following files:

  • /var/log/cloudstack/management/access.log
  • /var/log/cloudstack/management/management-server.log

Although the debug mode is enabled, I don't recommend logging secrets like S3 credentials.

Example entry containing the S3 credentials (sensitive information is redacted):

2025-02-06 15:50:37,093 DEBUG [o.a.c.s.r.NfsSecondaryStorageResource] (pool-15-thread-1:[ctx-5601ecaa]) (logid:e97c1c85) Executing command "DownloadCommand" [
  {
    "hvm": false,
    "description": "SystemVM Template (KVM)",
    "checksum": "6bb8edf3c062ed5625a3a8f17b3eedc9",
    "maxDownloadSizeInBytes": 53687091200,
    "id": 3,
    "resourceType": "TEMPLATE",
    "installPath": "template/tmpl/1/3/routing-3",
    "_store": {
      "id": 2,
      "uuid": "0f1bd354-0dc3-4e65-a370-6b02acec0735",
      "accessKey": "<redacted>",
      "secretKey": "<redacted>",
      "endPoint": "http://<redaced>",
      "bucketName": "cloudstack",
      "httpsFlag": false,
      "created": "Feb 6, 2025, 3:50:27 PM",
      "enableRRS": false,
      "maxSingleUploadSizeInBytes": 5368709120
    },
    "followRedirects": false,
    "url": "https://download.cloudstack.org/systemvm/4.20/systemvmtemplate-4.20.0-x86_64-kvm.qcow2.bz2",
    "format": "QCOW2",
    "accountId": 1,
    "name": "routing-3",
    "contextMap": {},
    "wait": 0,
    "bypassHostMaintenance": false
  }
]

versions

CloudStack: 4.20.0.0
Hypervisor: KVM
Secondary Storage: Ceph RGW S3
Distro: Ubuntu 22.04 LTS

The steps to reproduce the bug

  1. Deploy CloudStack Management server version 4.20.0.0
  2. Create a Secondary Storage using S3 credentials (accessKey and secretKey)
  3. Grep the log file directory for the secret key: grep <secretKey> -R /var/log/cloudstack/management/{access,management-server}.log

What to do about it?

Redact at least the secretKey from the log entry.
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Feb 6, 2025

Thanks for opening your first issue here! Be sure to follow the issue template!

@DaanHoogland DaanHoogland added this to the 4.20.1 milestone Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.20.1
Development

No branches or pull requests
2 participants
@namsral @DaanHoogland