Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
Logs
CLOUDSTACK VERSION
4.19.1.0, 4.18.1.0
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
Password and sensitive information are shown in plaintext in the management and access logs on the management server.
STEPS TO REPRODUCE
Looking in log files.
EXPECTED RESULTS
No sensitive passwords or secrets in logs
ACTUAL RESULTS
/var/log/cloudstack/management/access.log:1077542308:10.30.0.61 - - [09/Aug/2024:16:42:01 +0000] "GET /client/api?account=joe-again-1286&apiKey=<apikey>&command=addVpnUser&domainid=c91a0528-377b-48aa-9c7b-2c7ead68200d&password=TOPSECRETPASSWORD&response=json&username=seantest2&signature=Ek%2BC7EGsrmNi0ONFL%2BxJBJxSGe0%3D HTTP/1.1" 200 115 "-" "GuzzleHttp/7" 86
/var/log/cloudstack/management/management-server.log:122775505:{u'vpn_users': [{u'add': True, u'password': u'TOPSECRETPASSWORD', u'user': u'seantest2'}], u'type': u'vpnuserlist', u'delete_from_processed_cache': False}