Skip to content

chore: add security advisories to docs #7282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 25, 2023
Merged

chore: add security advisories to docs #7282

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d0000be
chore: add security advisories to docs
johnstcn Apr 25, 2023
4bf8311
Update docs/security/0001_user_apikeys_invalidation.md
johnstcn Apr 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/images/icons/security.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletions docs/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -825,6 +825,19 @@
"path": "cli/version.md"
}
]
},
{
"title": "Security",
"description": "Security advisories",
"path": "./security/index.md",
"icon_path": "./images/icons/security.svg",
"children": [
{
"title": "API tokens of deleted users not invalidated",
"description": "Fixed in v0.23.0 (Apr 25, 2023)",
"path": "./security/0001_user_apikeys_invalidation.md"
}
]
}
]
}
68 changes: 68 additions & 0 deletions docs/security/0001_user_apikeys_invalidation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
# API Tokens of deleted users not invalidated

---

## Summary

Coder identified an issue in [https://github.com/coder/coder](https://github.com/coder/coder) where API tokens belonging to a deleted user were not invalidated. A deleted user in possession of a valid and non-expired API token is still able to use the above token with their full suite of capabilities.

## Impact: HIGH

If exploited, an attacker could perform any action that the deleted user was authorized to perform.

## Exploitability: HIGH

The CLI writes the API key to `~/.coderv2/session` by default, so any deleted user who previously logged in via the Coder CLI has the potential to exploit this. Note that there is a time window for exploitation; API tokens have a maximum lifetime after which they are no longer valid.

The issue only affects users who were active (not suspended) at the time they were deleted. Users who were first suspended and later deleted cannot exploit this issue.

## Affected Versions

All versions of Coder between v0.8.15 and v0.22.2 (inclusive) are affected.

All customers are advised to upgrade to [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) as soon as possible.

## Details

Coder incorrectly failed to invalidate API keys belonging to a user when they were deleted. When authenticating a user via their API key, Coder incorrectly failed to check whether the API key corresponds to a deleted user.

## Indications of Compromise

> 💡 Automated remediation steps in the upgrade purge all affected API keys. Either perform the following query before upgrade or run it on a backup of your database from before the upgrade.

Execute the following SQL query:

```sql
SELECT
users.email,
users.updated_at,
api_keys.id,
api_keys.last_used
FROM
users
LEFT JOIN
api_keys
ON
api_keys.user_id = users.id
WHERE
users.deleted
AND
api_keys.last_used > users.updated_at
;
```

If the output is similar to the below, then you are not affected:

```sql
-----
(0 rows)
```

Otherwise, the following information will be reported:

- User email
- Time the user was last modified (i.e. deleted)
- User API key ID
- Time the affected API key was last used

> 💡 If your license includes the [Audit Logs](https://coder.com/docs/v2/latest/admin/audit-logs#filtering-logs) feature, you can then query all actions performed by the above users by using the filter `email:$USER_EMAIL`.
15 changes: 15 additions & 0 deletions docs/security/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Security Advisories

> If you discover a vulnerability in Coder, please do not hesitate to report it to us by following the instructions [here](https://github.com/coder/coder/blob/main/SECURITY.md).

From time to time, Coder employees or other community members may discover vulnerabilities in the product.

If a vulnerability requires an immediate upgrade to mitigate a potential security risk, we will add it to the below table.

Click on the description links to view more details about each specific vulnerability.

---

| Description | Severity | Fix | Vulnerable Versions |
| ---------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------- | ------------------- |
| [API tokens of deleted users not invalidated](./0001_user_apikeys_invalidation.md) | HIGH | [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) | v0.8.25 - v0.22.2 |