CVE CyberSecurity Database News

CVE-2023-22649 - Sensitive Data Exposure in Rancher Audit Logs Explained

Poster -

Date identified: January 2023
CVSS Score: 5.3 (Medium)
Impacted Product: Rancher (all versions prior to 2.7.)
Reference: Rancher Security Advisory


Audit logs are essential for tracking API activity in enterprise environments, but what if the logs themselves leak secrets? That’s the story with CVE-2023-22649, a vulnerability discovered in Rancher’s audit logging feature that could let unauthorized parties view sensitive data—right from the logs.

Let's walk through what happened, how to exploit it, and how to stay safe.

What is CVE-2023-22649?

Rancher enables admins to keep an eye on what’s happening in their Kubernetes clusters. If you turn on audit logging, Rancher will log activity from its API for troubleshooting and compliance. Audit logs are not written by default; you have to opt in.

The vulnerability: When audit logging is enabled and the log level is set to 1 (or above), Rancher may accidentally write sensitive information—like API tokens, secrets, or password fields—to the log file. If attackers or unauthorized staff have access to the logs, they could learn things they should not know.

Rancher versions *prior to 2.7.*

- Environments where logs might be readable by unintended users, backup tools, or external log managers

If your Rancher setup doesn’t use audit logs, you are not affected.

Example

Let’s say you create a new user via Rancher’s API and submit a password field. That password may be logged like this (with AUDIT_LEVEL=1):

{
  "requestURI": "/v3/users",
  "verb": "POST",
  "requestBody": {
    "username": "johndoe",
    "password": "SuperSecret123"
  }
}

Anyone reading the audit log now knows Johndoe’s initial password.

Exploiting CVE-2023-22649

There is no remote code execution or "active" exploit—the risk is passive: an attacker simply needs access to the audit.log file, which could happen via:

Attack Scenario

A malicious admin or a compromised logging system could grep audit logs for secrets. Here’s a quick bash one-liner that searches for clear-text passwords in JSON bodies:

cat /var/log/rancher/audit.log | grep -i 'password'

Or, more sophisticated, extract all fields named "token" or "secret"

jq '.requestBody | .token, .secret' /var/log/rancher/audit.log

The output could display API tokens, session keys, or other critical info.

Check Your Audit Level

- If you don’t need detailed logs, set AUDIT_LEVEL to (off), especially if you haven’t patched.

Lock down file permissions on the log destination.

- Ensure centralized logging tools don’t re-expose logs to other services or employees without approval.

References

- Rancher Audit Logging Documentation
- Rancher Audit Log Levels
- GitHub Security Advisory

Summary

CVE-2023-22649 is a reminder: even the best tools can betray you if logs aren’t handled carefully. All it took was an overly chatty Rancher API log, and suddenly, secrets reserved for administrators were written to disk in plain text. The fix is out—upgrade your Rancher instance, review log permissions, and always treat logs as sensitive data.

Timeline

Published on: 10/16/2024 08:15:04 UTC
Last modified on: 10/16/2024 16:38:14 UTC