Rucio Log Injection Vulnerability Exposing Authentication Tokens
Vulnerability
A vulnerability exists in the common Rucio helm-charts for 'rucio-server', 'rucio-ui', and 'rucio-webui', where the log format for the Apache access log includes the 'X-Rucio-Auth-Token' from request headers. This inclusion can expose user credentials, such as the internal Rucio token or JWTs from OIDC authentication. Although the length of these tokens often leads to truncation, making them unusable as credentials, the partial tokens should not be logged. The issue is more severe if access logs are shared with individuals beyond the instance administrators.
Impact
This vulnerability could lead to the unintentional exposure of authentication tokens in the Apache access logs, potentially allowing unauthorized access to Rucio services.
Remediation
Users can update to the patched versions of the Rucio components: 'rucio-server' (37.0.2, 35.0.1, 32.0.1), 'rucio-ui' (37.0.4, 35.0.1, 32.0.2), and 'rucio-webui' (37.0.2, 35.1.1, 32.0.1). Alternatively, the 'logFormat' variable can be updated to remove the 'X-Rucio-Auth-Token'.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.