Docker Hub access credential exposure in Replicated-based installation support bundles
Affected product(s)
- Replicated-based Gradle Enterprise installations - all versions
Severity
Moderate
Published at
2022-10-20
Description
Support bundles are a mechanism used by Gradle Enterprise support to obtain log files and other operational telemetry from a Gradle Enterprise installation. They must be generated by an installation administrator with access to the installation host environment, or via the application administration user interface. The bundle files are typically then shared with Gradle Enterprise support and discarded.
Gradle's documentation previously recommended configuring Replicated with Docker Hub Credentials written in plaintext in the file /etc/replicated.conf on the host of the Gradle Enterprise installation.
The contents of this file are included in support bundles, causing the credentials to be exposed when configured this way.
Gradle Enterprise installations not using Replicated are unaffected.
Mitigation
- Remove the
DockerHubUsernameandDockerHubPasswordentries from/etc/replicated.conf. - Reconfigure the credentials using the Replicated CLI:
$ replicatedctl params set DockerHubUsername --value your-username $ replicatedctl params set DockerHubPassword --value your-password
- Restart the Replicated admin console.
Consider revoking the previous, potentially exposed, credentials and generating and configuring new credentials.