CVE-2022-31044
📋 TL;DR
Rundeck 4.2.0 and 4.2.1 have a vulnerability where the Key Storage encryption mechanism fails to work properly, causing credentials to be stored in plaintext instead of encrypted. This affects all users of Rundeck 4.2.0/4.2.1 who use Storage Converter plugins. Attackers with access to the backend storage could read sensitive credentials.
💻 Affected Systems
- Rundeck
📦 What is this software?
Rundeck by Pagerduty
Rundeck by Pagerduty
Rundeck by Pagerduty
Rundeck by Pagerduty
⚠️ Risk & Real-World Impact
Worst Case
All credentials stored in Rundeck key storage are exposed in plaintext, allowing complete compromise of automated systems and sensitive data.
Likely Case
Credentials stored during the vulnerable period remain in plaintext, potentially exposing API keys, passwords, and other secrets to anyone with storage access.
If Mitigated
With proper access controls and patching, only credentials created during the vulnerable window remain at risk until re-encrypted.
🎯 Exploit Status
Exploitation requires access to the backend storage where credentials are stored. The vulnerability is in the encryption mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.1 or 4.2.2
Vendor Advisory: https://github.com/rundeck/rundeck/security/advisories/GHSA-hprf-rrwq-jm5c
Restart Required: Yes
Instructions:
1. Upgrade to Rundeck 4.3.1 or 4.2.2. 2. Restart Rundeck service. 3. The upgrade will automatically re-encrypt any plaintext credentials. 4. Verify encryption is working.
🔧 Temporary Workarounds
Disable Key Storage Write Access
allPrevent creation or modification of credentials via ACLs to avoid plaintext storage.
# Configure ACL policies to restrict write access to key storage
# See Rundeck ACL documentation for specific configuration
🧯 If You Can't Patch
- Immediately disable write access to key storage using ACL policies
- Audit and rotate all credentials that may have been stored during vulnerable period
🔍 How to Verify
Check if Vulnerable:
Check Rundeck version: if running 4.2.0 or 4.2.1, you are vulnerable. Also check if any Storage Converter plugins are enabled.Check Version:
rundeckd --version or check Rundeck web interface versionVerify Fix Applied:
After upgrading to 4.3.1/4.2.2, verify version and check that new credentials are properly encrypted in storage.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to key storage backend
- Failed encryption operations in logs
Network Indicators:
- Unusual outbound connections from Rundeck server
SIEM Query:
Search for Rundeck version strings 4.2.0 or 4.2.1 in system logs