A vulnerability, identified as CVE-2023-22649, has been discovered in Rancher's audit logs, which could expose sensitive data and potentially compromise a system's security. This vulnerability impacts deployments that have Rancher's audit logging enabled and an AUDIT_LEVEL set to 1 or above. In this post, we will discuss the details of this vulnerability, provide code snippets to help understand its impact, and links to the original references.
Exploit Details
Rancher is a popular open-source container management platform that accelerates Kubernetes adoption by providing users with a complete and easy-to-use platform for managing their deployments. One of Rancher's features, Rancher Audit Logging, allows users to log and monitor their API requests, helping them to track changes and improve security compliance.
The CVE-2023-22649 vulnerability pertains to the possible leakage of sensitive data in Rancher's audit logs due to improper configuration. This issue affects deployments with the Audit Logging feature enabled, and an AUDIT_LEVEL set to 1 or above.
Code Snippet
To enable Rancher Audit Logging, the audit-log configuration must be set in the Rancher API configuration file. Here's a sample configuration with the AUDIT_LEVEL set to 1:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
users: ["system:unauthenticated"]
- level: Request
users: ["system:authenticated"]
resources:
- group: "management.cattle.io"
resources: ["*"]
Request: Log both request metadata and request body (sensitive data risk)
- RequestResponse: Log both request and responses metadata, along with the request body (maximum sensitive data risk)
The vulnerability occurs when the AUDIT_LEVEL is set to 'Request' (1) or 'RequestResponse' (2), which may result in sensitive data being leaked into the audit logs.
Disable audit logging if it's not needed by your organization.
2. If audit logging is necessary, set the AUDIT_LEVEL to Metadata () to log only the request metadata, without the request body, which lowers the risk of sensitive data exposure.
Conclusion
The CVE-2023-22649 vulnerability presents a potential risk to Rancher deployments with audit logging enabled and AUDIT_LEVEL set to 1 or above. As a best practice, ensure that your Rancher deployment is configured correctly to minimize sensitive data exposure. Stay informed on updates and patches related to Rancher by following their official documentation and announcements.
For additional information on this vulnerability, please refer to the following links
- Rancher Documentation: Enable API Audit Log
- Rancher Documentation: Audit Log Levels
Timeline
Published on: 10/16/2024 08:15:04 UTC
Last modified on: 10/16/2024 16:38:14 UTC