CVE-2012-5616 - OpenCVE

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Cloudstack
Citrix	Cloudplatform

Configuration 1 [-]

OR	cpe:2.3:a:apache:cloudstack:4.0.0:incubating::::::
	cpe:2.3:a:citrix:cloudplatform::::::::

No data.

References

Link	Providers
http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E
http://osvdb.org/89070
http://osvdb.org/89146
http://osvdb.org/89147
http://seclists.org/fulldisclosure/2013/Jan/65
http://secunia.com/advisories/51366
http://secunia.com/advisories/51821
http://secunia.com/advisories/51827
http://support.citrix.com/article/CTX136163
http://www.securityfocus.com/bid/57225
http://www.securityfocus.com/bid/57259
http://www.securitytracker.com/id?1027978

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-01-22T23:00:00

Updated: 2024-08-06T21:14:16.356Z

Reserved: 2012-10-24T00:00:00

Link: CVE-2012-5616

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-01-22T23:55:02.887

Modified: 2023-11-07T02:12:37.873

Link: CVE-2012-5616

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-10T00:00:00", "descriptions": [{"lang": "en", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-03-30T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://support.citrix.com/article/CTX136163"}, {"name": "89146", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89146"}, {"name": "20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"name": "89147", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89147"}, {"name": "57225", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57225"}, {"name": "[incubator-cloudstack-users] 20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E"}, {"name": "51821", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51821"}, {"name": "57259", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57259"}, {"name": "89070", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89070"}, {"name": "51366", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51366"}, {"name": "51827", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51827"}, {"name": "1027978", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1027978"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-5616", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://support.citrix.com/article/CTX136163", "refsource": "CONFIRM", "url": "http://support.citrix.com/article/CTX136163"}, {"name": "89146", "refsource": "OSVDB", "url": "http://osvdb.org/89146"}, {"name": "20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"name": "89147", "refsource": "OSVDB", "url": "http://osvdb.org/89147"}, {"name": "57225", "refsource": "BID", "url": "http://www.securityfocus.com/bid/57225"}, {"name": "[incubator-cloudstack-users] 20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565@stratosec.co%3E"}, {"name": "51821", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51821"}, {"name": "57259", "refsource": "BID", "url": "http://www.securityfocus.com/bid/57259"}, {"name": "89070", "refsource": "OSVDB", "url": "http://osvdb.org/89070"}, {"name": "51366", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51366"}, {"name": "51827", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51827"}, {"name": "1027978", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1027978"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:14:16.356Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.citrix.com/article/CTX136163"}, {"name": "89146", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/89146"}, {"name": "20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"name": "89147", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/89147"}, {"name": "57225", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/57225"}, {"name": "[incubator-cloudstack-users] 20130110 CVE-2012-5616: Apache CloudStack information disclosure vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E"}, {"name": "51821", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/51821"}, {"name": "57259", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/57259"}, {"name": "89070", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/89070"}, {"name": "51366", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/51366"}, {"name": "51827", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/51827"}, {"name": "1027978", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1027978"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-5616", "datePublished": "2013-01-22T23:00:00", "dateReserved": "2012-10-24T00:00:00", "dateUpdated": "2024-08-06T21:14:16.356Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cloudstack:4.0.0:incubating:*:*:*:*:*:*", "matchCriteriaId": "EA46B1B9-FCD7-4F3D-88E6-95B1A5A0497C", "vulnerable": true}, {"criteria": "cpe:2.3:a:citrix:cloudplatform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7802906-7538-4434-B1F9-89C10ECE8A3E", "versionEndIncluding": "3.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API."}, {"lang": "es", "value": "CloudStack Apache v4.0.0-incubaci\u00f3n y Citrix CloudPlatform (anteriormente Citrix CloudStack ) anterior a v3.0.6 almacena informaci\u00f3n sensible en el archivo de registro log4j.conf, lo que permite a usuarios locales obtener (1) la clave privada SSH registradas por la API createSSHKeyPair, (2) la contrase\u00f1a de un host agregado registrada por la API AddHost, o la contrase\u00f1a de un VM a\u00f1adido seg\u00fan los registrado por el DeployVM (3) o (4) API ResetPasswordForVM."}], "id": "CVE-2012-5616", "lastModified": "2023-11-07T02:12:37.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 2.7, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-01-22T23:55:02.887", "references": [{"source": "secalert@redhat.com", "url": "http://mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89070"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89146"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89147"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2013/Jan/65"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51366"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51821"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51827"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://support.citrix.com/article/CTX136163"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57225"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57259"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id?1027978"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}