CVE-2022-23506

Name of the Vulnerable Software and Affected Versions Spinnaker's Rosco microservice versions prior to 1.29.2, 1.28.4, and 1.27.3

Description Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco does not properly mask secrets generated via packer builds, which can lead to exposure of sensitive AWS credentials in packer log files. It is recommended to use short lived credentials via role assumption and IAM profiles, and to set credentials in /home/spinnaker/.aws/credentials and /home/spinnaker/.aws/config as a volume mount for Rosco pods. Using IAM Roles instead of long lived credentials drastically mitigates the risk of credentials exposure. If static credentials have been used, it is recommended to purge any bake logs for AWS, evaluate whether AWS ACCESS KEY, SECRET KEY and/or other sensitive data has been introduced in log files and bake job logs, and then rotate these credentials.

Recommendations For versions prior to 1.29.2, update to version 1.29.2 or later. For versions prior to 1.28.4, update to version 1.28.4 or later. For versions prior to 1.27.3, update to version 1.27.3 or later. As a temporary workaround, consider using short lived credentials via role assumption and IAM profiles. Restrict access to sensitive data by setting credentials in /home/spinnaker/.aws/credentials and /home/spinnaker/.aws/config as a volume mount for Rosco pods. Avoid using static credentials and instead use IAM Roles to minimize the risk of credentials exposure.