Skip to main content

CVE-2022-23506- Rosco/Packer - Insertion of Sensitive Information into Log File (OSS only)

Issue

The Spinnaker Security SIG has determined that Spinnaker has a newly discovered vulnerability.  A new CVE has been identified. This issue **does not affect Armory CDSH. The issue only affects Spinnaker OSS.  **For information about why Armory CDSH is unaffected, please see the following note. The CVE (CVE-2022-23506) is of the type, Insertion of Sensitive Information into Log File vulnerability type (categorized as CWE-532).   The issue is related to Packer and how it stores credentials

  • Packer bakes in Spinnaker OSS do NOT mask hard-coded credentials.  For example, the aws_secret_key for AWS Programmatic Access, if stored as hard-coded values* This means bakes store in logs and potentially in the AMI’s sensitive credentials* Customers utilizing IAM Roles, or other Secrets Systems with Packer Bakes/Deployments are not affected There is a security report already in progress on the item. We ask that customers using OSS to*** upgrade to a version with the fix as soon as possible, if they are using Packer in their deployments, or adjust their secrets methodology in Packer Bakes.*** Environment exposure can be reduced or mitigated if Armory products are run in a closed network and not open to the internet. We recommend that customers check their Gate and Deck endpoints are not directly exposed to the internet and review their firewalls and security settings.  Armory recommends as a general policy that environments remediate their risk by switching their deployment strategy to remove any hard coded credentials, such as by utilizing IAM roles for AWS and by utilizing a secrets system for GCP.  Update - 2022/12/09:**  Clarification provided regarding Armory CDSH.  Issue does not affect Armory products.  Added further suggestion regarding credentials. Update 2  - 2022/12/09: Adjusted information for consistency Update 3  - 2023/01/03: **Revised wording as it is now published: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23506

Cause

Vulnerability identified in Packer which is within the Rosco Spinnaker Service.  Tracked in CVE-2022-23506