GENERAL INFORMATION
Executive Summary
This advisory details two issues related to data that is not properly deleted in Conjur OSS, which might allow unauthorized access of users or hosts:
- In some circumstances, updating a policy branch that defines roles (host or user) does not delete the previously defined roles in that policy (when required), allowing unauthorized access of users or hosts per that policy.
- Explicitly deleting a role does not delete the API key associated with that role. The API key is deactivated but could be reactivated in certain circumstances.
Affected Software
All versions of Conjur OSS prior to 1.17.3.
Detailed Explanation
- In some circumstances, updating a policy branch that defines roles (host or user) does not delete the previously defined roles in that policy (when required), allowing unauthorized access of users or hosts with access to Conjur, who were defined in the previous policy and who have previous knowledge about the role.
- When a role (user or host) is deleted, the API key associated with that role is deactivated but could, in certain circumstances, be subsequently reactivated and used by a user with permissions in Conjur who has previous knowledge about the deactivated role.
Recommendations
CyberArk recommends all customers upgrade to Conjur OSS version 1.17.3.
Customers are advised to run a DB migration preview using conjurctl db restore --preview prior to upgrading to ensure they do not remove a role that is still in use.
During the upgrade, affected roles and deactivated API keys will be automatically deleted, and a fix applied to prevent these issues from happening in the future.
It is recommended to periodically rotate roles’ API keys, according to your organization’s security standards, by following the instructions set forth in the online documentation.
MITIGATION INSTRUCTIONS
Run DB migration preview
The 1.17.3 version provides a --preview option to the conjurctl db restore command. Run conjurctl db restore --preview to list any affected roles found in the system but leave the roles in place. This enables you to determine if any of these roles may still be in use and should not be removed. To keep any roles listed here after the upgrade to 1.17.3, you must redefine them after the upgrade.
Upgrade Conjur OSS
Upgrade your Conjur OSS version to version 1.17.3 according to the instructions in the online documentation.
Workarounds
If you are currently unable to upgrade to version 1.17.3, as a temporary mitigation you may:
- To avoid future occurrence of the undeleted roles issue, define each sub-policy body in its own file and explicitly delete any existing role prior to policy update.
- To avoid the issue of an undeleted API key, manually rotate the API key of any newly created role by following the instructions in our documentation. Specifically, when creating a new role and no API key is returned, you must rotate its API key.
FREQUENTLY ASKED QUESTIONS (FAQ)
Can I check whether I am affected by these issues?
You can check if you have been affected by running conjurctl db restore --preview using a 1.17.3 or later version of conjurctl. If any roles or API keys are listed, you have had one of the undeleted roles or API keys. If no roles are listed, you are not affected by the undeleted roles issue.
It is not possible to detect where a new role, that reuses an undeleted API key, has already been created.
Are roles defined in the root policy or in a branch defined in a different file than the root impacted?
No, the only roles that are impacted are those defined in a sub-policy body that is in the same file as the policy that first identifies that sub-policy.
Are any other policy elements (variables, groups/layers, and so on) not deleted during a policy update, when required?
No. Conjur deletes all other policy elements when they are removed or replaced.
Can deleted hosts or users have access to secrets for which they were never authorized?
No.
Might this vulnerability also come into play when explicitly deleting a role?
No. If roles were explicitly deleted using the ‘!delete’ command, they are removed.
Is there a public exploit for this vulnerability?
No. Both issues were found internally by CyberArk. CyberArk has not received any information that indicates that these vulnerabilities have been publicly exploited.
GENERAL INFORMATION
Executive Summary
This advisory details two issues related to data that is not properly deleted in Conjur OSS, which might allow unauthorized access of users or hosts:
Affected Software
All versions of Conjur OSS prior to 1.17.3.
Detailed Explanation
Recommendations
CyberArk recommends all customers upgrade to Conjur OSS version 1.17.3.
Customers are advised to run a DB migration preview using
conjurctl db restore --previewprior to upgrading to ensure they do not remove a role that is still in use.During the upgrade, affected roles and deactivated API keys will be automatically deleted, and a fix applied to prevent these issues from happening in the future.
It is recommended to periodically rotate roles’ API keys, according to your organization’s security standards, by following the instructions set forth in the online documentation.
MITIGATION INSTRUCTIONS
Run DB migration preview
The 1.17.3 version provides a
--previewoption to theconjurctl db restorecommand. Runconjurctl db restore --previewto list any affected roles found in the system but leave the roles in place. This enables you to determine if any of these roles may still be in use and should not be removed. To keep any roles listed here after the upgrade to 1.17.3, you must redefine them after the upgrade.Upgrade Conjur OSS
Upgrade your Conjur OSS version to version 1.17.3 according to the instructions in the online documentation.
Workarounds
If you are currently unable to upgrade to version 1.17.3, as a temporary mitigation you may:
FREQUENTLY ASKED QUESTIONS (FAQ)
Can I check whether I am affected by these issues?
You can check if you have been affected by running
conjurctl db restore --previewusing a 1.17.3 or later version of conjurctl. If any roles or API keys are listed, you have had one of the undeleted roles or API keys. If no roles are listed, you are not affected by the undeleted roles issue.It is not possible to detect where a new role, that reuses an undeleted API key, has already been created.
Are roles defined in the root policy or in a branch defined in a different file than the root impacted?
No, the only roles that are impacted are those defined in a sub-policy body that is in the same file as the policy that first identifies that sub-policy.
Are any other policy elements (variables, groups/layers, and so on) not deleted during a policy update, when required?
No. Conjur deletes all other policy elements when they are removed or replaced.
Can deleted hosts or users have access to secrets for which they were never authorized?
No.
Might this vulnerability also come into play when explicitly deleting a role?
No. If roles were explicitly deleted using the ‘!delete’ command, they are removed.
Is there a public exploit for this vulnerability?
No. Both issues were found internally by CyberArk. CyberArk has not received any information that indicates that these vulnerabilities have been publicly exploited.