Impact
When an invalid environment variable name is specified in the secrets.yml file, CyberArk Conjur Buildpack logs an error message that contains the value intended for that environment variable. This error is generated after retrieving secrets from CyberArk Conjur or CyberArk Dynamic Access Provider (DAP). This results in the secret value being exposed in the logs. If these log messages are then aggregated elsewhere, these same secret values can be exposed to people who might not otherwise have access to them.
An invalid environment variable name is one that has any characters other than uppercase letters, lowercase letters, digits and underscores.
If, at any time, an error like this occurred, then users should assume any associated secret values are in the associated logs.
This vulnerability does not by itself enable attacks by external attackers as installing the Buildpack requires privileged access to Conjur/DAP. Anyone who can install the Buildpack can already query Conjur/DAP to get the secret values.
Example
If the secrets.yml had this (an invalid environment variable name using '.' characters):
AWS.SECRET.KEY: !var aws/prod/user/robot/secret_access_key
the log message would look like this:
bash: export: `AWS.SECRET.KEY=<some-sensitive-secret-value>': not a valid identifier
where <some-sensitive-secret-value> is the value in Conjur/DAP stored at aws/prod/user/robot/secret_access_key
Updated Version
This vulnerability is fixed in Buildpack v2.1.5 and later. CyberArk recommends upgrading to this version to avoid potential future exposures.
Workarounds
Ensure your variable names are valid prior to installing the Buildpack.
If you have already exposed one or more secrets, you should rotate those secret values as soon as possible.
References
- We have scored this issue as Medium (4.0) using CVSS 3/1.
- We have scored this issues as Medium using the OWASP Risk Rating System.
- This is an instance of CWE-210: Self-generated Error Message Containing Sensitive Information.
- For documentation around remediating this issue, see:
For more information
If you have any questions or comments about this advisory:
TheSecMaven Analyst
Impact
When an invalid environment variable name is specified in the secrets.yml file, CyberArk Conjur Buildpack logs an error message that contains the value intended for that environment variable. This error is generated after retrieving secrets from CyberArk Conjur or CyberArk Dynamic Access Provider (DAP). This results in the secret value being exposed in the logs. If these log messages are then aggregated elsewhere, these same secret values can be exposed to people who might not otherwise have access to them.
An invalid environment variable name is one that has any characters other than uppercase letters, lowercase letters, digits and underscores.
If, at any time, an error like this occurred, then users should assume any associated secret values are in the associated logs.
This vulnerability does not by itself enable attacks by external attackers as installing the Buildpack requires privileged access to Conjur/DAP. Anyone who can install the Buildpack can already query Conjur/DAP to get the secret values.
Example
If the secrets.yml had this (an invalid environment variable name using '.' characters):
the log message would look like this:
where <some-sensitive-secret-value> is the value in Conjur/DAP stored at aws/prod/user/robot/secret_access_key
Updated Version
This vulnerability is fixed in Buildpack v2.1.5 and later. CyberArk recommends upgrading to this version to avoid potential future exposures.
Workarounds
Ensure your variable names are valid prior to installing the Buildpack.
If you have already exposed one or more secrets, you should rotate those secret values as soon as possible.
References
For more information
If you have any questions or comments about this advisory: