CVE-2012-5616

Name of the Vulnerable Software and Affected Versions Apache CloudStack version 4.0.0-incubating Citrix CloudPlatform (formerly Citrix CloudStack) versions prior to 3.0.6

Description The issue allows local users to obtain sensitive information, including the SSH private key, and passwords of added hosts or VMs, as this information is stored in the log4j.conf log file. This sensitive data is recorded by various APIs, such as createSSHKeyPair, AddHost, DeployVM, or ResetPasswordForVM.

Recommendations For Apache CloudStack version 4.0.0-incubating, consider restricting access to the log4j.conf log file to minimize the risk of sensitive information disclosure. For Citrix CloudPlatform (formerly Citrix CloudStack) versions prior to 3.0.6, update to version 3.0.6 or later to resolve the issue. As a temporary workaround, consider disabling the createSSHKeyPair, AddHost, DeployVM, and ResetPasswordForVM APIs until a patch is available or the log file access is restricted.