chore(deps): update dependency ops to v2.15.0 [security] #136
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.14.1
->==2.15.0
GitHub Vulnerability Alerts
CVE-2024-41129
Summary
The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: Juju (>=3.0), Juju secrets and not correctly capturing and processing
subprocess.CalledProcessError
.There are two points that may log this command, in different files:
First, if there is an error during a secret handling, there will be a
subprocess.CalledProcessError
, which will contain the CLI comand + all its args. This is going to be logged in any logging level. This exception, if not caught by the charm, will bubble up to the/var/log/juju/
logs and syslog journal. Now, on Ubuntu 22.04, these logs are protected with:Second, certain audit setups may log terminal commands, which would result in this command being logged with its secrets. It is unknown if this is done on ubuntu security benchmarks, such as CIS hardening.
Keep in mind these logs may be copied or even backed up. Which exposes it to more services in the user's environment (e.g. CI runs in GH - although these are dummy password generated per test only).
Passing secrets straight via CLI is not advised. Here are some ways out:
subprocess.CalledProcessError
, redacting its content and reissuing the same type of exception; this will not cover the caseauditd
is set to log CLI commands, if that is a riskSeverity Rationale
This is a CWE-532. Potentially, these secrets can lead to privilege escalation but Ubuntu default is to have logs only accessible to
adm
group users.Marking this issue as "Moderate", as this report is not presenting a clear way on how to get access to the logs themselves: either getting local access to an
adm
group user (e.g. ubuntu) or recovering logs stored on a 3rd party service.Details
From CI: https://github.com/canonical/opensearch-operator/actions/runs/9908987369/job/27376377521?pr=364
PoC
Impact
Juju secrets are generally composed of private keys, passwords, etc; generally valuable credentials that, if leaked, will likely allow an attacker to get privileged access to its target or other targets in the environment.
Release Notes
canonical/operator (ops)
v2.15.0
Compare Source
Features
Fixes
Documentation
CI
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.