CVE-2012-5616

2013-01-2223:00:00

redhat

www.cve.org

AI Score

Confidence

Low

EPSS

Percentile

10.3%

JSON

Apache CloudStack 4.0.0-incubating and Citrix CloudPlatform (formerly Citrix CloudStack) before 3.0.6 stores sensitive information in the log4j.conf log file, which allows local users to obtain (1) the SSH private key as recorded by the createSSHKeyPair API, (2) the password of an added host as recorded by the AddHost API, or the password of an added VM as recorded by the (3) DeployVM or (4) ResetPasswordForVM API.

References

mail-archives.apache.org/mod_mbox/incubator-cloudstack-users/201301.mbox/%3C1BD2169F-BBFE-4E27-B50F-F17D7D08B565%40stratosec.co%3E

osvdb.org/89070

osvdb.org/89146

osvdb.org/89147

seclists.org/fulldisclosure/2013/Jan/65

secunia.com/advisories/51366

secunia.com/advisories/51821

secunia.com/advisories/51827

support.citrix.com/article/CTX136163

www.securityfocus.com/bid/57225

www.securityfocus.com/bid/57259

www.securitytracker.com/id?1027978