CVE-2023-34236
📋 TL;DR
This vulnerability in Weave GitOps Terraform Controller allows authenticated remote attackers to view sensitive information like configurations and tokens in pod logs. It affects users running vulnerable versions of the controller, potentially exposing credentials and secrets used in Terraform operations. The issue stems from improper logging of sensitive data in tf-runner components.
💻 Affected Systems
- Weave GitOps Terraform Controller (tf-controller)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of infrastructure managed by Terraform, leading to data breaches, resource hijacking, or complete system compromise.
Likely Case
Sensitive credentials and configuration data are exposed, enabling unauthorized access to cloud resources or internal systems.
If Mitigated
With proper access controls and logging restrictions, impact is limited to authorized users who already have pod log access.
🎯 Exploit Status
Exploitation requires access to pod logs, which typically requires authenticated access to Kubernetes cluster or exposed logging endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.14.4 or v0.15.0-rc.5
Vendor Advisory: https://github.com/weaveworks/tf-controller/security/advisories
Restart Required: Yes
Instructions:
1. Identify current tf-controller version. 2. Update to v0.14.4 or v0.15.0-rc.5 via Helm or direct deployment. 3. Restart tf-runner pods to apply changes.
🔧 Temporary Workarounds
Disable Terraform Logs
allAdd environment variable to prevent sensitive data logging in tf-runner pods
Add DISABLE_TF_LOGS=true to tf-runner pod template in Terraform Custom Resource
🧯 If You Can't Patch
- Restrict access to pod logs using Kubernetes RBAC and network policies
- Implement log filtering or redaction at the logging layer to mask sensitive data
🔍 How to Verify
Check if Vulnerable:
Check tf-controller version and verify if below v0.14.4 or v0.15.0-rc.5Check Version:
kubectl get deployment tf-controller -o jsonpath='{.spec.template.spec.containers[0].image}'Verify Fix Applied:
Confirm version is v0.14.4 or higher, and check tf-runner pod logs no longer contain sensitive Terraform output📡 Detection & Monitoring
Log Indicators:
- Sensitive Terraform output in tf-runner pod logs
- Credentials, tokens, or configuration data in stdout/stderr
Network Indicators:
- Unauthorized access to pod log endpoints
- Unusual log retrieval patterns
SIEM Query:
source="kubernetes" AND pod_name="*tf-runner*" AND (message="*secret*" OR message="*token*" OR message="*password*" OR message="*credential*")🔗 References
- https://github.com/weaveworks/tf-controller/commit/28282bc644054e157c3b9a3d38f1f9551ce09074
- https://github.com/weaveworks/tf-controller/commit/6323b355bd7f5d2ce85d0244fe0883af3881df4e
- https://github.com/weaveworks/tf-controller/commit/9708fda28ccd0466cb0a8fd409854ab4d92f7dca
- https://github.com/weaveworks/tf-controller/commit/98a0688036e9dbcf43fa84960d9a1ef3e09a69cf
- https://github.com/weaveworks/tf-controller/issues/637
- https://github.com/weaveworks/tf-controller/issues/649
- https://github.com/weaveworks/tf-controller/security/advisories/GHSA-6hvv-j432-23cv
- https://github.com/weaveworks/tf-controller/commit/28282bc644054e157c3b9a3d38f1f9551ce09074
- https://github.com/weaveworks/tf-controller/commit/6323b355bd7f5d2ce85d0244fe0883af3881df4e
- https://github.com/weaveworks/tf-controller/commit/9708fda28ccd0466cb0a8fd409854ab4d92f7dca
- https://github.com/weaveworks/tf-controller/commit/98a0688036e9dbcf43fa84960d9a1ef3e09a69cf
- https://github.com/weaveworks/tf-controller/issues/637
- https://github.com/weaveworks/tf-controller/issues/649
- https://github.com/weaveworks/tf-controller/security/advisories/GHSA-6hvv-j432-23cv
