Описание
Contrast leaks workload secrets to logs on INFO level
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had been fixed for release v1.8.1, but the fix was not ported to the main branch and thus not present in releases v1.9.0 ff.
Below is a brief repetition of the relevant sections from the first GHSA, where you can find the full details.
Impact
- Workload secrets are visible to Kubernetes users with
getorlistpermission onpods/logs, and thus need to be considered compromised. - Since workload secrets are used for encrypted storage and Vault integration, those need to be considered compromised, too.
Patches
Patches:
- https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
- https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554
The patches are released with v1.12.2 and v1.13.0 (not yet published). Since the secrets are compromised, Contrast needs to be initialized from scratch.
Workarounds
Existing workload secrets are compromised. The Contrast cluster needs to be newly initialized, and logging needs to be turned off.
References
First occurrence:
We are defining a process for handling GHSAs that should prevent such regressions in the future:
Ссылки
- https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8
- https://github.com/edgelesssys/contrast/security/advisories/GHSA-vxg3-w9rv-rhr2
- https://github.com/edgelesssys/contrast/pull/1739
- https://github.com/edgelesssys/contrast/commit/5a5512c4af63c17bb66331e7bd2768a863b2f225
- https://github.com/edgelesssys/contrast/commit/cf58026b30c43fe7df91eac5322da02e1725d554
Пакеты
github.com/edgelesssys/contrast
>= 1.9.0, <= 1.12.1
1.12.2
7.3 High
CVSS3
Дефекты
7.3 High
CVSS3