CyberArk Security Bulletin CA23-01, is your Conjur environment affected?
What happened?
Yesterday CyberArk published the security bulletin CA23-01 related to a critical vulnerability of the Rake ruby package, described in the CVE-2022-30123 .
The vulnerability could be used remotely and allow a shell escape within the Conjur leader container.
This issue only affects Conjur Enterprise.
Containers of Conjur products other than Conjur Enterprise (Conjur OSS, the Conjur Kubernetes/OpenShift Follower, the Conjur Kubernetes Authenticator Client) may still include vulnerable versions of Rack but they are not using the code affected by this vulnerability.
What should you do?
Upgrading is always the best practice to obtain the new features and the security fixes, and in fact, it works: the latest Conjur Enterprise release, 12.7 is NOT AFFECTED by this vulnerability.
If your Conjur environment isn't updated to the latest release yet, CyberArk has already released 2 new point releases that fix old but still supported versions: 12.5.1 and 12.6.1 .
SIGHUP can help!
Currently, the info on how to exploit this vulnerability is not public, but acting fast will help companies remain safe!
During the last months, we have upgraded several customers to the latest Conjur 12.7 release, and we recommend you plan and perform your Conjur upgrade as soon as possible.
If you need help with the upgrade process or everything else about Conjur, please get in touch with us using this form.