This issue has been verified to only occur in releases prior to GoCD version 21.1.0. If you are using a version of GoCD prior to 21.1.0, you must upgrade as soon as possible. GoCD versions 21.1.0 and later are not vulnerable to the leak of the symmetric key.

What is the Symmetric Key used for?

The symmetric key is used to encrypt the password which is sent in plain text over the wire. This key is shared between all nodes and must be kept secret.
If an attacker manages to get this key, they will be able to decrypt passwords sent over the wire with it.

Description of the issue

A flaw has been discovered in the GoCD software. If a user ran a single instance of GoCD as root, it could be possible for that instance to obtain the symmetric secret key used by multiple instances of GoCD to encrypt data. The software is not vulnerable if run as non-root user but is still vulnerable if running in privileged mode (i.e. as init or systemd).
Users are advised to upgrade their installations of the software as soon as possible.

Summary of Finding

This issue has been verified to only occur in releases prior to GoCD version 21.1.0 and the fix is included in GoCD versions 21.1.0 and later.

How to Stay Protected

To stay protected against this vulnerability, follow the instructions below:
* Upgrade to GoCD 21.1.0 or later
* If in a Kubernetes cluster and not using TLS, upgrade to kubectl version 1.11 or later
* If you are running an older version of GoCD that has been patched but has not yet been upgraded, upgrade to the latest version as soon as possible.

Summary of Product Behavior

This issue has been verified to only occur in releases prior to GoCD version 21.1.0. If you are using a version of GoCD prior to 21.1.0, you must upgrade as soon as possible. GoCD versions 21.1.0 and later are not vulnerable to the leak of the symmetric key due to an upgrade that was made on May 1st, 2017 which fixed this issue.

Timeline

Published on: 10/14/2022 20:15:00 UTC
Last modified on: 10/21/2022 20:24:00 UTC

References