CVE-2012-5616 - OpenCVE

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Cloudstack
Citrix	Cloudplatform

Configuration 1 [-]

OR	cpe:2.3:a:apache:cloudstack:4.0.0:incubating::::::
	cpe:2.3:a:citrix:cloudplatform::::::::

References

Link	Resource
http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E
http://osvdb.org/89070
http://osvdb.org/89146
http://osvdb.org/89147
http://seclists.org/fulldisclosure/2013/Jan/65
http://secunia.com/advisories/51366
http://secunia.com/advisories/51821
http://secunia.com/advisories/51827
http://support.citrix.com/article/CTX136163	Vendor Advisory
http://www.securityfocus.com/bid/57225
http://www.securityfocus.com/bid/57259
http://www.securitytracker.com/id?1027978

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-01-22T23:00:00

Updated: 2013-03-30T09:00:00

Reserved: 2012-10-24T00:00:00

Link: CVE-2012-5616

JSON object: View

NVD Information

Status : Modified

Published: 2013-01-22T23:55:02.887

Modified: 2023-11-07T02:12:37.873

Link: CVE-2012-5616

JSON object: View

Redhat Information

No data.

CWE

CWE-255

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-03-30T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://support.citrix.com/article/CTX136163"}, {"name": "89146", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89146"}, {"name": "20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"name": "89147", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89147"}, {"name": "57225", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57225"}, {"name": "[incubator-cloudstack-users] 20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E"}, {"name": "51821", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51821"}, {"name": "57259", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57259"}, {"name": "89070", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89070"}, {"name": "51366", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51366"}, {"name": "51827", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51827"}, {"name": "1027978", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1027978"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-5616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://support.citrix.com/article/CTX136163", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX136163"}, {"name": "89146", "refsource": "OSVDB", "url": "http://osvdb.org/89146"}, {"name": "20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"name": "89147", "refsource": "OSVDB", "url": "http://osvdb.org/89147"}, {"name": "57225", "refsource": "BID", "url": "http://www.securityfocus.com/bid/57225"}, {"name": "[incubator-cloudstack-users] 20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565@stratosec.co%3E"}, {"name": "51821", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51821"}, {"name": "57259", "refsource": "BID", "url": "http://www.securityfocus.com/bid/57259"}, {"name": "89070", "refsource": "OSVDB", "url": "http://osvdb.org/89070"}, {"name": "51366", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51366"}, {"name": "51827", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51827"}, {"name": "1027978", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1027978"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5616", "datePublished": "2013-01-22T23:00:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2013-03-30T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cloudstack:4.0.0:incubating:*:*:*:*:*:*", "matchCriteriaId": "EA46B1B9-FCD7-4F3D-88E6-95B1A5A0497C", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:cloudplatform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7802906-7538-4434-B1F9-89C10ECE8A3E", "versionEndIncluding": "3.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}, {"lang": "es", "value": "CloudStack Apache v4.0.0-incubaci\u00f3n y Citrix CloudPlatform (anteriormente Citrix CloudStack ) anterior a v3.0.6 almacena informaci\u00f3n sensible en el archivo de registro log4j.conf, lo que permite a usuarios locales obtener (1) la clave privada SSH registradas por la API createSSHKeyPair, (2) la contrase\u00f1a de un host agregado registrada por la API AddHost, o la contrase\u00f1a de un VM a\u00f1adido seg\u00fan los registrado por el DeployVM (3) o (4) API ResetPasswordForVM."}], "id": "CVE-2012-5616", "lastModified": "2023-11-07T02:12:37.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 2.7, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-01-22T23:55:02.887", "references": [{"source": "secalert@redhat.com", "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89070"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89146"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89147"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51366"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51821"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51827"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://support.citrix.com/article/CTX136163"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57225"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57259"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id?1027978"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}