Merge pull request #34 from adciu/master

Updating for OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images
osg-htc · Oct 3, 2024 · fd942d8 · fd942d8
2 parents 3f20de1 + b136228
commit fd942d8
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 0 deletions.
diff --git a/docs/OSGSecurityAnnouncements.md b/docs/OSGSecurityAnnouncements.md
@@ -1,5 +1,6 @@
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2024-10-03  | IDTOKEN Signing Key Present In OSG Hosted-CE Container Images | [OSG-SEC-2024-10-03](./vulns/OSG-SEC-2024-10-03.md) |     |
 | 2024-01-09  | HIGH SSH vulnerability exploitable in Terrapin attack | [OSG-SEC-2024-01-08](./vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md) |     |
 | 2023-10-11  | HIGH Severity GNU C Library Privilege Escalation | [OSG-SEC-2023-10-09](./vulns/OSG-SEC-2023-10-09.md) |     |
 | 2023-09-26  | CRITICAL PMIx race condition vulnerability affecting Slurm | [OSG-SEC-2023-09-26](./vulns/OSG-SEC-2023-09-26.md) |     |

diff --git a/docs/vulns/OSG-SEC-2024-10-03.md b/docs/vulns/OSG-SEC-2024-10-03.md
@@ -0,0 +1,18 @@
+# OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images
+
+Dear OSG Security Contacts,
+
+OSG has discovered a security issue with the OSG Hosted-CE container images [1] where a default IDTOKEN signing key was generated each time the images were built. This key could have been used to submit local jobs to the Hosted-CEs until a new image, containing a new key, was generated.
+
+Upon discovery of the issue, we investigated our audit logs and found no evidence of job submission using this key. We have made changes to our container infrastructure to mitigate this issue and prevent the automatically generated key from being used.
+
+We are investigating further improvements to harden the Hosted-CEs to make access to an IDTOKEN signing key less impactful. Additionally, we are investigating methods and tools to implement automated secret scanning for OSG container images and other release artifacts to reduce the likelihood of future secrets being included in release artifacts. 
+
+While we have no evidence that this issue was ever exploited, out of an abundance of caution we are rotating ALL SSH keys used by the Hosted-CEs to connect back to sites. OSG is working with the affected sites to minimize any disruptions caused by this credential rotation.
+
+Please contact the OSG Security team at [email protected] if you have any questions or concerns.
+
+OSG Security Team
+
+## REFERENCES
+[1] https://hub.docker.com/r/opensciencegrid/hosted-ce
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2024-10-03 IDTOKEN Signing Key Present In OSG Hosted-CE Container Images: './vulns/OSG-SEC-2024-10-03.md'
     - OSG-SEC-2024-01-08 HIGH SSH vulnerability exploitable in Terrapin attacks: './vulns/OSG-SEC-2024-01-08-HIGH-SSH-vulnerability-exploitable-in-Terrapin-attacks.md'
     - OSG-SEC-2023-09-26 CRITICAL PMIx race condition vulnerability affecting Slurm: './vulns/OSG-SEC-2023-09-26.md'
     - OSG-SEC-2023-09-25 HIGH Multiple Linux Kernel Vulnerabilities: './vulns/OSG-SEC-2023-09-25.md'