Impact
A misconfiguration in lagoon-core caused Kubernetes console login information to be logged on the triggering of certain webhook events. A Lagoon-core install is only vulnerable if pull-request or merge-requests are enabled in your cluster, and the lagoon-logs packages are sending logs to a logging service.
If you have the optional LagoonLogs facility enabled, the presence of meta.deployTarget.openshift.XX fields against a XX:(pull_request}merge_request):(opened|synchronized):handled event in the lagoon-logs indexes in Elasticsearch indicate exposure.
Patches
The vulnerability has been patched in lagoon-core 2.10. If pull-request or merge-requests are enabled in your cluster, all lagoon-remote console tokens will need to be recreated and updated in the Lagoon API. A procedure for rotating credentials is at https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472
Workarounds
The "lagoon-logs" record_modifier in logs-dispatcher fluent-conf could be disabled to stop lagoon-logs from distributing and all existing lagoon-logs indexes deleted. All lagoon-remote console tokens will need to be recreated and updated in the Lagoon API as above, as this method would only make it difficult to find the credentials in the logs, but could not account for offline copies.
References
Lagoon release: https://github.com/uselagoon/lagoon/releases/tag/v2.10.0
Log rotation information: https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472
For more information
If you have any questions or comments about this advisory:
shreddedbacon Analyst
tobybellwood Analyst
Impact
A misconfiguration in lagoon-core caused Kubernetes console login information to be logged on the triggering of certain webhook events. A Lagoon-core install is only vulnerable if pull-request or merge-requests are enabled in your cluster, and the lagoon-logs packages are sending logs to a logging service.
If you have the optional LagoonLogs facility enabled, the presence of
meta.deployTarget.openshift.XXfields against aXX:(pull_request}merge_request):(opened|synchronized):handledevent in the lagoon-logs indexes in Elasticsearch indicate exposure.Patches
The vulnerability has been patched in lagoon-core 2.10. If pull-request or merge-requests are enabled in your cluster, all lagoon-remote console tokens will need to be recreated and updated in the Lagoon API. A procedure for rotating credentials is at https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472
Workarounds
The "lagoon-logs" record_modifier in logs-dispatcher fluent-conf could be disabled to stop lagoon-logs from distributing and all existing lagoon-logs indexes deleted. All lagoon-remote console tokens will need to be recreated and updated in the Lagoon API as above, as this method would only make it difficult to find the credentials in the logs, but could not account for offline copies.
References
Lagoon release: https://github.com/uselagoon/lagoon/releases/tag/v2.10.0
Log rotation information: https://gist.github.com/tobybellwood/fa5aae134f6a4f452fb9f90dfc37c472
For more information
If you have any questions or comments about this advisory: