HCSEC-2022-06 - Terraform Enterprise May Capture Sensitive Data In Logs

Bulletin ID: HCSEC-2022-06
Affected Products / Versions: Terraform Enterprise v202112-1 through v202201-2; fixed in v202202-1.
Publication Date: February 23, 2022

Summary
Terraform Enterprise was configured to log inbound HTTP requests in a manner that may capture sensitive data. This vulnerability, CVE-2022-25374, was fixed in Terraform Enterprise v202202-1.

Background
Terraform Enterprise (TFE) is an application that helps teams use Terraform together, with many features including workspace variables and log forwarding.

Details
It was reported that TFE was writing newly-created or edited workspace variables to a log forwarding destination.

On investigation, it was determined that a traceability-related improvement within the application had an unintended side effect of logging HTTP request bodies, which in some cases included sensitive data. A sensitive data redaction mechanism that had been implemented previously was not fully effective against the logs in question.

The logs were being emitted by the ptfe_atlas container within TFE, and retained locally within the TFE installation. A default installation does not forward any logs but, if TFE’s log forwarding feature was enabled, these logs may have been forwarded to the configured external destination/s.

The Terraform Enterprise application logging configuration has been modified to no longer capture HTTP request bodies, as was the case prior to v202112-1.

Remediation
Customers running affected Terraform Enterprise versions should evaluate the risk associated with this issue and consider upgrading to Terraform Enterprise v202202-1 or newer. Please refer to Upgrading Terraform Enterprise for general guidance.

Customers should also evaluate their Terraform Enterprise deployments, workspaces, and log forwarding destinations for sensitive data that may have been captured, such as sensitive variables, and consider appropriate actions such as rotation of secrets.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.