Description

We have identified a security vulnerability where sensitive credentials (passwords) are exposed through application logs during OVM (Oracle VM) hypervisor server configuration. The password is embedded in an exception message and subsequently logged when the exception is caught.

Data Flow

1. Exception Thrown with Password in Message

In com.cloud.ovm.hypervisor.OvmResourceBase.setupServer, when an SSH connection fails, a CloudRuntimeException is thrown with the password included in the error message:

// com.cloud.ovm.hypervisor.OvmResourceBase.setupServer()
protected void setupServer() throws IOException {
        ...
        if (sshConnection == null) {
            throw new CloudRuntimeException(String.format("Cannot connect to ovm host(IP=%1$s, username=%2$s, password=%3$s", 
                _ip, _username, _password));  // ← Password embedded in exception message
        }
       ...
    }

2. Exception Logged with Sensitive Data

In com.cloud.ovm.hypervisor.OvmResourceBase.configure, the exception is caught and logged at DEBUG level, which causes the password to be written to the application logs:

// com.cloud.ovm.hypervisor.OvmResourceBase.configure(String name, Map<String, Object> params)
    try {
            setupServer();
        } catch (Exception e) {
            logger.debug("Setup server failed, ip " + _ip, e);  // ← Exception with password logged here
            throw new ConfigurationException("Unable to setup server");
        }

Vulnerability Analysis

The vulnerability chain consists of:

1. Password in Exception Message: The setupServer() method constructs an exception message that includes the plaintext password used for SSH authentication
2. Exception Propagation: The exception is thrown and caught by the calling method
3. Debug Logging: The caught exception (including its message containing the password) is logged at DEBUG level
4. Log Persistence: The password is permanently written to log files where it can be accessed by unauthorized parties