Impact
The Lagoon audit logging transport (lagoon-logs) exposes the bearer tokens used to authenticate transactions. Any installation that stores these logs may have these tokens exposed to authenticated users, if those user have access to view the lagoon-logs index.
Patches
Fixed in v2.0.0. JWTs will need to be rotated in any internal services that use a long-lived JWT to communicate with the API, as will any external services that interact with the API on long-lived tokens. The lagoon-core helmchart will ensure that internal services are restarted on the generation of a new key.
Workarounds
The fluentd patterns used to ingest these messages have also been updated to sanitise these fields.
For more information
If you have any questions or comments about this advisory:
smlx Analyst
Impact
The Lagoon audit logging transport (lagoon-logs) exposes the bearer tokens used to authenticate transactions. Any installation that stores these logs may have these tokens exposed to authenticated users, if those user have access to view the lagoon-logs index.
Patches
Fixed in v2.0.0. JWTs will need to be rotated in any internal services that use a long-lived JWT to communicate with the API, as will any external services that interact with the API on long-lived tokens. The lagoon-core helmchart will ensure that internal services are restarted on the generation of a new key.
Workarounds
The fluentd patterns used to ingest these messages have also been updated to sanitise these fields.
For more information
If you have any questions or comments about this advisory: