When it comes to cloud data storage, security is everything. That’s why developers and companies trust official libraries provided or recommended by cloud service providers. However, even these libraries can sometimes contain critical vulnerabilities that may put your sensitive data at risk. Today, we'll talk about CVE-2022-39397, a dangerous secret leakage vulnerability in the popular aliyun-oss-client Rust crate for Alibaba Cloud OSS.
---
What is aliyun-oss-client?
aliyun-oss-client is a Rust library that makes it easier for developers to interact with Alibaba Cloud Object Storage Service (OSS). With the library, you don’t have to manually manage the HTTP requests, authentication, and low-level details; it’s all handled by the crate.
---
What is CVE-2022-39397?
CVE-2022-39397 is a vulnerability that leads to unintentional disclosure of secrets such as your Alibaba Cloud Access Key and Secret during client operations. This means attackers or even logs could pick up your authentication secrets, leading to exposure of your cloud data and resources.
This bug affected all versions of the aliyun-oss-client crate prior to version .8.1.
---
Who Is Affected?
If you use aliyun-oss-client below version .8.1, your secrets may be exposed unintentionally. This includes anyone building cloud-native Rust apps for Alibaba Cloud. If your project, CI/CD, or logs collect or transmit debug or error strings, your secrets could be leaked.
---
Why Did This Happen?
The problem was in error handling and logging. Earlier versions of the crate included sensitive secret data in error messages or logs. If you log an error (especially with Debug or Display output), your secrets (like access_key_id and access_key_secret) might appear in plaintext in your logs, process dumps, or external monitoring systems.
---
Below is an illustration of how secrets could leak with earlier versions of the crate
use aliyun_oss_client::client::Client;
fn main() {
// Example (DO NOT USE REAL SECRETS HERE)
let client = Client::new("access_key_id", "access_key_secret", "bucket", "endpoint");
// Some operation which could fail
let result = client.put_object("test.txt", b"Hello Cloud!");
// DEBUG/ERROR: log the error (secrets may leak here!)
if let Err(e) = result {
println!("Upload error: {:?}", e);
}
}
If the error includes your credentials, and you print it or log it, they end up in logs anyone can read. A real log line from an old vulnerable version might look like:
Upload error: OssError { access_key_id: "AKID123", access_key_secret: "SECRET123", message: "bucket not found" }
You do not want your secrets in logs like this!
---
How Bad Is It?
This is bad. In a real-world environment, logs are often shipped to external tools, support tickets, even pasted on forums and in CI/CD pipelines. An attacker with read access to logs could gain all they need to steal or destroy your cloud data.
---
Official Patch and Upgrade Path
This issue is fixed in aliyun-oss-client v.8.1.
The patch ensures that secrets aren’t included in error or debug output.
Patched code (simplified)
impl std::fmt::Debug for OssError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
write!(f, "OssError {{ message: {:?} }}", self.message)
}
}
Now, printing or logging errors will NOT reveal access keys.
---
`
Never log or print sensitive secrets directly in your code.
---
References
- CVE-2022-39397 at GitHub Security Advisory
- Affected crate: aliyun-oss-client at crates.io
- Patch commit on GitHub
---
Final Words
Supply chain vulnerabilities—even in official libraries—are a real risk. If you use aliyun-oss-client for Rust, update to v.8.1 now to stay safe from secret leaks. Always review how your apps handle errors and logs, and treat secrets like they’re gold—because in the cloud, they are.
Timeline
Published on: 11/22/2022 21:15:00 UTC
Last modified on: 11/28/2022 14:56:00 UTC