CVE-2022-24912
📋 TL;DR
This vulnerability allows attackers to perform timing attacks against the webhook secret validation in Atlantis, potentially recovering the secret through statistical analysis of response times. Attackers could then forge webhook events to trigger unauthorized actions. Organizations using vulnerable versions of Atlantis with webhooks enabled are affected.
💻 Affected Systems
- Atlantis
📦 What is this software?
Atlantis by Runatlantis
⚠️ Risk & Real-World Impact
Worst Case
Attacker recovers webhook secret and forges malicious webhook events, potentially triggering unauthorized infrastructure changes, code deployments, or resource modifications in connected systems.
Likely Case
Attacker recovers webhook secret and sends forged events to trigger automated workflows, potentially causing service disruption or unauthorized changes.
If Mitigated
With proper network segmentation and monitoring, forged events would be detected before causing significant damage, though secret recovery still represents a security breach.
🎯 Exploit Status
Timing attacks require statistical analysis and multiple requests, but tools exist to automate this. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.19.7 and later
Vendor Advisory: https://github.com/runatlantis/atlantis/security/advisories/GHSA-5q3x-9hq5-8q5g
Restart Required: Yes
Instructions:
1. Update Atlantis to version 0.19.7 or later. 2. Restart the Atlantis service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable webhooks
allTemporarily disable webhook functionality if not required
Configure Atlantis without webhook support or block webhook endpoints at network level
Network isolation
allRestrict access to webhook endpoints to trusted sources only
Use firewall rules to limit access to Atlantis webhook port from authorized IPs only
🧯 If You Can't Patch
- Implement network-level controls to restrict webhook access to trusted sources only
- Increase monitoring of webhook events and implement anomaly detection for unusual patterns
🔍 How to Verify
Check if Vulnerable:
Check Atlantis version: if using version <0.19.7 and webhooks are enabled, system is vulnerable.Check Version:
atlantis versionVerify Fix Applied:
Verify Atlantis version is 0.19.7 or later and check that webhook validation uses constant-time comparison in the code.📡 Detection & Monitoring
Log Indicators:
- Unusual number of webhook validation failures
- Webhook requests from unexpected sources
- Timing patterns in validation responses
Network Indicators:
- High volume of requests to webhook endpoints
- Requests with varying payloads to test timing differences
SIEM Query:
source="atlantis" AND (event="webhook_validation_failed" OR event="webhook_received") | stats count by src_ip🔗 References
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/issues/2391
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
- https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- https://github.com/runatlantis/atlantis/issues/2391
- https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
