All advisories

Encryption key used for external system passwords is readable in created Kubernetes manifests

Affected product(s)

  • Gradle Enterprise < 2022.2.4

Severity

Moderate

Published at

2022-06-03 (last updated on 2022-06-15)

Related CVE ID(s)

Description

When deploying Gradle Enterprise with an unattended installation configuration, passwords used to connect to external systems can be symmetrically encrypted with a user-provided encryption key. For versions of Gradle Enterprise earlier than 2022.2.4 deployed to a Kubernetes cluster, the supplied encryption key is viewable as part of the application manifest along with the configuration, allowing any person able to view and read the application manifests to decrypt the passwords.

As of Gradle Enterprise 2022.2, the passwords that may be provided in the unattended installation configuration are:

  1. The bind user password when using an LDAP service as an identity provider
  2. The password used to authenticate to the configured SMTP service

As of Gradle Enterprise 2022.2.4, the encryption key is stored as a Kubernetes secret and is no longer readable as part of the application manifest.

Users not using an unattended installation configuration are not affected by this vulnerability.

Mitigation

Users deploying to a Kubernetes cluster with an unattended installation configuration containing encrypted secrets should upgrade to Gradle Enterprise 2022.2.4, and consider whether the passwords contained within the configuration should be cycled.