Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce obfuscation in deployment logs of sensitive variables contributed via machines (CVE-2018-11320) #4578

Closed
zentron opened this issue May 21, 2018 · 2 comments
Assignees
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving tag/regression This issue was addressed and shipped, but subsequently broken in another release
Milestone

Comments

@zentron
Copy link

zentron commented May 21, 2018

When an Azure Target is involved in a deployment, the sensitive account variables linked to it are not obfuscated in the logs.

Steps to reproduce

  • Create an Azure Subscription account
  • Create an Azure WebApp target that uses the previously created account
  • Create a project with a Deploy Azure WebApp step that uses the same role as the previously created target.
  • Add the debugging variable OctopusPrintVariables to the project.
  • Create and deploy release
  • View the deployment log

What you expect to see
The printed log should show ******* as the value of the variable Octopus.Action.Azure.Password

What you see instead
The actual value of the azure password is printed to the logs

Octopus releases with this regression bug

This issue came about with a changed execution pipeline which was available from 2018.3.8 however this code path that led to this bug would not have been commonly executed until the Azure targets introduced in 2018.5.0

CVE

CVE-2018-11320

@zentron zentron added kind/bug This issue represents a verified problem we are committed to solving area/security tag/regression This issue was addressed and shipped, but subsequently broken in another release labels May 21, 2018
@zentron zentron added this to the 2018.5.2 milestone May 21, 2018
@zentron zentron self-assigned this May 21, 2018
@zentron zentron closed this as completed May 22, 2018
@zentron zentron changed the title Sensitive variables contributed via machine during deployment are not obfuscated in the deployment logs Enforce obfuscation in deployment logs of sensitive variables contributed via machines (CVE-2018-11320) May 22, 2018
@zentron
Copy link
Author

zentron commented May 22, 2018

@lock
Copy link

lock bot commented Nov 23, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area/security kind/bug This issue represents a verified problem we are committed to solving tag/regression This issue was addressed and shipped, but subsequently broken in another release
Projects
None yet
Development

No branches or pull requests

1 participant