Skip to content

Insertion of Sensitive Information into log file by lagoon-core

High
tobybellwood published GHSA-hcvj-w4g2-4q2x Oct 10, 2022

Package

lagoon-core (Lagoon)

Affected versions

<v2.10.0

Patched versions

v2.10.0

Description

Impact

A misconfiguration in lagoon-core caused Kubernetes console login information to be logged on the triggering of certain webhook events. A Lagoon-core install is only vulnerable if pull-request or merge-requests are enabled in your cluster, and the lagoon-logs packages are sending logs to a logging service.

If you have the optional LagoonLogs facility enabled, the presence of meta.deployTarget.openshift.XX fields against a XX:(pull_request}merge_request):(opened|synchronized):handled event in the lagoon-logs indexes in Elasticsearch indicate exposure.

Patches

The vulnerability has been patched in lagoon-core 2.10. If pull-request or merge-requests are enabled in your cluster, all lagoon-remote console tokens will need to be recreated and updated in the Lagoon API. A procedure for rotating credentials is at https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472

Workarounds

The "lagoon-logs" record_modifier in logs-dispatcher fluent-conf could be disabled to stop lagoon-logs from distributing and all existing lagoon-logs indexes deleted. All lagoon-remote console tokens will need to be recreated and updated in the Lagoon API as above, as this method would only make it difficult to find the credentials in the logs, but could not account for offline copies.

References

Lagoon release: https://github.com/uselagoon/lagoon/releases/tag/v2.10.0
Log rotation information: https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472

For more information

If you have any questions or comments about this advisory:

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVE ID

No known CVE

Weaknesses

Credits