CVE-2022-25374
📋 TL;DR
HashiCorp Terraform Enterprise versions v202112-1 through v202201-2 log inbound HTTP requests in a way that may capture sensitive data like credentials or tokens. This affects organizations using these specific Terraform Enterprise versions. The vulnerability exposes sensitive information through application logs.
💻 Affected Systems
- HashiCorp Terraform Enterprise
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to logs containing authentication tokens, API keys, or other sensitive data, leading to unauthorized access to infrastructure and potential lateral movement.
Likely Case
Sensitive data like API tokens or credentials are exposed in logs, which could be accessed by administrators or attackers with log access, potentially leading to credential theft.
If Mitigated
With proper log access controls and monitoring, exposure is limited to authorized personnel only, reducing risk of credential misuse.
🎯 Exploit Status
Exploitation requires access to Terraform Enterprise logs, which typically requires administrative or privileged access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v202202-1
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-06-terraform-enterprise-may-capture-sensitive-data-in-logs/
Restart Required: Yes
Instructions:
1. Backup current Terraform Enterprise instance. 2. Upgrade to v202202-1 or later using HashiCorp's upgrade documentation. 3. Restart the Terraform Enterprise service. 4. Verify logs no longer contain sensitive data.
🔧 Temporary Workarounds
Restrict Log Access
linuxLimit access to Terraform Enterprise log files to only necessary administrative personnel.
chmod 600 /path/to/terraform/logs/*
chown root:root /path/to/terraform/logs/*
Implement Log Monitoring
allDeploy log monitoring to detect access to sensitive log files and alert on suspicious activity.
🧯 If You Can't Patch
- Implement strict access controls on log storage and rotation policies.
- Monitor and audit all access to Terraform Enterprise logs for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Terraform Enterprise version via admin UI or API; if version is v202112-1, v202112-2, v202201-1, or v202201-2, system is vulnerable.Check Version:
terraform enterprise version check via admin UI or API endpointVerify Fix Applied:
After upgrading to v202202-1 or later, verify that HTTP request logs no longer contain sensitive data like tokens or credentials.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to log files
- Log entries containing sensitive patterns like 'token=', 'password=', or 'secret='
Network Indicators:
- Unusual access patterns to log storage locations
SIEM Query:
source="terraform-enterprise" AND ("token" OR "password" OR "secret")