CVE-2022-29186

Name of the Vulnerable Software and Affected Versions Rundeck versions 4.0 and earlier

Description Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Rundeck community and rundeck-enterprise docker images contained a pre-generated SSH keypair. If the id rsa.pub public key of the keypair was copied to authorized keys files on remote hosts, those hosts would allow access to anyone with the exposed private credentials. This misconfiguration only impacts Rundeck Docker instances, not Debian, RPM or .WAR. A patch on Rundeck's main branch has removed the pre-generated SSH key pair, but it does not remove exposed keys that have been configured.

Recommendations To patch, users must run a script on hosts in their environment to search for exposed keys and rotate them. Do not use any pre-existing public key file from the Rundeck docker images to allow SSH access by adding it to authorized keys files. If you have copied the public key file included in the docker image, remove it from any authorized keys files.