The vulnerability could be used remotely and allow a shell escape within the Conjur leader container.
This issue only affects Conjur Enterprise.
Containers of Conjur products other than Conjur Enterprise (Conjur OSS, the Conjur Kubernetes/OpenShift Follower, the Conjur Kubernetes Authenticator Client) may still include vulnerable versions of Rack but they are not using the code affected by this vulnerability.
What should you do?
Upgrading is always the best practice to obtain the new features and the security fixes, and in fact, it works: the latest Conjur Enterprise release, 12.7 is NOT AFFECTED by this vulnerability.
SIGHUP can help!
Currently, the info on how to exploit this vulnerability is not public, but acting fast will help companies remain safe!
During the last months, we have upgraded several customers to the latest Conjur 12.7 release, and we recommend you plan and perform your Conjur upgrade as soon as possible.
If you need help with the upgrade process or everything else about Conjur, please get in touch with us using this form.