Impact

Lagoon-core creates indexes, roles and tenants in OpenDistro/OpenSearch, linked to the permissions in Lagoon. Due to the way that Lagoon creates the multipurpose index permissions assigned to group roles, it is possible that users from certain groups may be able to access the logs from another project or group. Only projects who's full project name is a subset of another existing project can gain access to that additional project. e.g. project named foo may be able to access logs from a project named foo-bar, but not from foobar and not the other way around.

Patches

This issue has been resolved in Lagoon v2.8.0. Lagoon admins will need to run the yarn sync:opendistro-security script from the API pod to update existing roles

Workarounds

Users with admin access can update the roles in OpenDistro/OpenSearch to limit access to other indices. Note that these roles may themselves be overwritten in a subsequent Lagoon-initiated sync

The existing index string:

*-${projectName}-*

should be replaced with:

/^(application|container|lagoon|router)-logs-${projectName}-_-.+/

For more information

If you have any questions or comments about this advisory, please contact security@amazee.io