diff --git a/.docsearch/config.json b/.docsearch/config.json index 859f7bd37..67cae1b94 100644 --- a/.docsearch/config.json +++ b/.docsearch/config.json @@ -8,7 +8,7 @@ "version": [ "docs", "4.0.x", - "5.12.0" + "5.13.0" ] } } diff --git a/docs/.vuepress/navbar-menus/previous-versions.js b/docs/.vuepress/navbar-menus/previous-versions.js index 43e0a2e0d..20e382346 100644 --- a/docs/.vuepress/navbar-menus/previous-versions.js +++ b/docs/.vuepress/navbar-menus/previous-versions.js @@ -3,6 +3,9 @@ export default [ text: 'Version 5.x', children: [ { + text: "5.13.0", + link: "https://docs.rundeck.com/5.13.0/" + }, { text: "5.12.0", link: "https://docs.rundeck.com/5.12.0/" }, diff --git a/docs/.vuepress/notes.md.nj b/docs/.vuepress/notes.md.nj index fb59dcfcb..736345a12 100644 --- a/docs/.vuepress/notes.md.nj +++ b/docs/.vuepress/notes.md.nj @@ -69,11 +69,11 @@ Submit your own Pull Requests to get recognition here! ## Staff Contributors * Greg Schueler ([gschueler](https://github.com/gschueler)) -* Alexander Abarca ([alexander-variacode](https://github.com/alexander-variacode)) -* Alexander Grachtchouk ([mrdubr](https://github.com/mrdubr)) * Carlos Eduardo ([carlosrfranco](https://github.com/carlosrfranco)) +* Eduardo Baltra ([edbaltra](https://github.com/edbaltra)) * Forrest Evans ([fdevans](https://github.com/fdevans)) * Jake Cohen ([jsboak](https://github.com/jsboak)) +* Jaya Singh ([jayas006](https://github.com/jayas006)) * Jason Brooks ([jbrookspd](https://github.com/jbrookspd)) * Jesus Osuna ([Jesus-Osuna-M](https://github.com/Jesus-Osuna-M)) * José Vásquez ([hiawvp](https://github.com/hiawvp)) diff --git a/docs/.vuepress/notes.mjs b/docs/.vuepress/notes.mjs index 5af0c46f4..097f4918f 100644 --- a/docs/.vuepress/notes.mjs +++ b/docs/.vuepress/notes.mjs @@ -94,8 +94,8 @@ async function getRepoData(repo, includeLabels) { const contributors = {}; const reporters = {}; - for (const p of pulls) {' - if (excludeUsernames.includes(p.user.login)) continue;' + for (const p of pulls) { + if (excludeUsernames.includes(p.user.login)) continue; if (contributors[p.user.login]) continue; const user = await gh.users.getByUsername({ username: p.user.login }); contributors[user.data.login] = user.data; diff --git a/docs/.vuepress/public/assets/img/relnotes-5130-alljobs.png b/docs/.vuepress/public/assets/img/relnotes-5130-alljobs.png new file mode 100644 index 000000000..2e71d9c3c Binary files /dev/null and b/docs/.vuepress/public/assets/img/relnotes-5130-alljobs.png differ diff --git a/docs/.vuepress/public/assets/img/relnotes-5130-jobdata.png b/docs/.vuepress/public/assets/img/relnotes-5130-jobdata.png new file mode 100644 index 000000000..904c860bb Binary files /dev/null and b/docs/.vuepress/public/assets/img/relnotes-5130-jobdata.png differ diff --git a/docs/.vuepress/public/assets/img/relnotes-5130-roijob.png b/docs/.vuepress/public/assets/img/relnotes-5130-roijob.png new file mode 100644 index 000000000..932f93fcc Binary files /dev/null and b/docs/.vuepress/public/assets/img/relnotes-5130-roijob.png differ diff --git a/docs/.vuepress/public/assets/img/relnotes-5130-roisummary.png b/docs/.vuepress/public/assets/img/relnotes-5130-roisummary.png new file mode 100644 index 000000000..a9b2809d2 Binary files /dev/null and b/docs/.vuepress/public/assets/img/relnotes-5130-roisummary.png differ diff --git a/docs/.vuepress/setup.js b/docs/.vuepress/setup.js index df1b8a5bd..fc574d177 100644 --- a/docs/.vuepress/setup.js +++ b/docs/.vuepress/setup.js @@ -1,7 +1,7 @@ import { BaseTransition } from "vue" -const RUNDECK_VERSION='5.12.0' -const RUNDECK_VERSION_FULL='5.12.0-SNAPSHOT' +const RUNDECK_VERSION='5.13.0' +const RUNDECK_VERSION_FULL='5.13.0-SNAPSHOT' const API_VERSION='52' const API_DEP_REL='6.0.0' const API_DEP_VER='17' diff --git a/docs/.vuepress/sidebar-menus/administration.ts b/docs/.vuepress/sidebar-menus/administration.ts index 4fa34aa1b..61d7c2193 100644 --- a/docs/.vuepress/sidebar-menus/administration.ts +++ b/docs/.vuepress/sidebar-menus/administration.ts @@ -230,7 +230,8 @@ export default [{ '/administration/security/password-security', '/administration/security/ratelimiting', '/administration/security/blocklist', - '/administration/security/audit-trail' + '/administration/security/audit-trail', + '/administration/security/audit-stream-plugin' ] } ] diff --git a/docs/administration/security/audit-stream-plugin.md b/docs/administration/security/audit-stream-plugin.md new file mode 100644 index 000000000..d977fe682 --- /dev/null +++ b/docs/administration/security/audit-stream-plugin.md @@ -0,0 +1,203 @@ +# Audit Stream Plugin + +:::enterprise +::: + +This plugin streams **Rundeck audit events** to external systems via secure, configurable webhooks. It's useful for sending specific event logs to tools like **Datadog**, **New Relic**, **Sumo Logic**, or custom endpoints. + +--- + +## What It Does + +- Sends audit events as JSON via HTTP POST requests +- Supports authentication methods required by major observability providers +- Offers advanced filtering to control which events are sent +- Can enrich payloads with contextual metadata (user, resource, request) + +--- + +## Prerequisites + +- Rundeck version **4.17.0 or higher** +- An external system that can receive and process HTTP webhooks +- HTTPS endpoint access from the Rundeck server + +--- + +## Supported Authentication Methods + +| Type | Description | +|-------------|-------------------------------------------------------------------| +| `NONE` | No authentication headers | +| `BEARER` | Adds `Authorization: Bearer ` header | +| `AZURE_SAS` | Sends a custom header (e.g. `x-functions-key`) with a token | +| `AWS_SIGV4` | Signs the request with AWS Signature V4 credentials | + +--- + +## Configuration Guide + +Access these properties via the System Configuration menu under Plugins → Audit Stream. + +### AWS API Gateway Example + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api-id.execute-api.us-west-2.amazonaws.com/prod/webhook +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=AWS_SIGV4 +framework.plugin.AuditEventListener.WebhookAuditListener.awsRegion=us-west-2 +framework.plugin.AuditEventListener.WebhookAuditListener.awsService=execute-api +``` +- Optional: If you haven’t configured credentials in Rundeck’s Key Storage, you can set them here: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.awsAccessKey= +framework.plugin.AuditEventListener.WebhookAuditListener.awsSecretKey= +``` + +### Azure Function Example + + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://.azurewebsites.net/api/rundeckwebhook +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=AZURE_SAS +framework.plugin.AuditEventListener.WebhookAuditListener.azureSasToken= +framework.plugin.AuditEventListener.WebhookAuditListener.azureHeaderName=x-functions-key +``` + +### Bearer Token Example + + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api.example.com/secure-audit +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=BEARER +framework.plugin.AuditEventListener.WebhookAuditListener.authToken= +``` +### Custom Headers Example (Datadog, New Relic, etc.) + +#### Datadog: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://api.datadoghq.com/api/v2/events +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE +framework.plugin.AuditEventListener.WebhookAuditListener.customHeaders=DD-API-KEY:your_api_key,DD-APPLICATION-KEY:your_app_key,Accept:application/json +``` + + +#### New Relic: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://insights-collector.newrelic.com/v1/accounts/YOUR_ACCOUNT_ID/events +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE +framework.plugin.AuditEventListener.WebhookAuditListener.customHeaders=X-Insert-Key:your_insert_key //This key must have type: INGEST - LICENSE +``` +> Ensure your insert key is of type INGEST – LICENSE + + + +#### No Authentication: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.webhookUrl=https://internal.example.com/webhook +framework.plugin.AuditEventListener.WebhookAuditListener.securityType=NONE +``` + + +### Event Filtering + +You can filter which audit events are sent by listing specific actionType values: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.includedEvents=run,create,login_success +``` + +#### Common `actionType` Values + +| Type | Meaning | +|-----------------|----------------------------------| +| `run` | Job or command executed | +| `create` | Job or resource created | +| `update` | Resource updated (e.g. job, ACL) | +| `delete` | Resource deleted | +| `login_success` | User logged in | +| `login_failed` | Failed login attempt | +| `logout` | User logged out | +| `view` | Resource viewed | + +--- +### Timeout + +You can configure the HTTP connection timeout (in seconds). The default is 30: + +```properties +framework.plugin.AuditEventListener.WebhookAuditListener.timeout=20 +``` + +## JSON Payload Format Sent to Webhook Endpoints + +The following are example JSON payloads sent by the plugin, formatted based on the destination provider (e.g., Datadog, New Relic, etc). These payloads can be used to test or validate integration. + +### Default (e.g. Azure, AWS, or custom) +```json +{ + "timestamp": "2025-03-03T22:27:48.281Z", + "actionType": "CREATE", + "userInfo": { + "username": "admin", + "userRoles": ["admin", "user"] + }, + "resourceInfo": { + "type": "job", + "name": "backup-database" + }, + "requestInfo": { + "serverUUID": "550e8400-e29b-41d4-a716-446655440000", + "userAgent": "Mozilla/5.0..." + } +} +``` + +### Datadog API v1 +```json +{ + "title": "Rundeck Audit Event: login_success", + "text": "{\"timestamp\":1746726668522,\"actionType\":\"login_success\",\"userInfo\":{\"username\":\"admin\",\"userRoles\":[\"admin\",\"user\"]},\"resourceInfo\":{\"type\":\"user\",\"name\":\"admin\"},\"requestInfo\":{\"serverUUID\":\"abc123\",\"userAgent\":\"Mozilla/5.0\"}}", + "alert_type": "info", + "tags": ["rundeck", "action:login_success"] +} +``` + +### Datadog API v2 +```json +{ + "data": { + "type": "event", + "attributes": { + "title": "Rundeck Audit Event: login_success", + "text": "{\"timestamp\":1746726668522,\"actionType\":\"login_success\",\"userInfo\":{\"username\":\"admin\",\"userRoles\":[\"admin\",\"user\"]},\"resourceInfo\":{\"type\":\"user\",\"name\":\"admin\"},\"requestInfo\":{\"serverUUID\":\"abc123\",\"userAgent\":\"Mozilla/5.0\"}}", + "alert_type": "info", + "tags": ["rundeck", "action:login_success"] + } + } +} +``` + +### New Relic +```json +{ + "eventType": "RundeckAuditStreamPlugin", + "timestamp": 1746726668522, + "actionType": "login_success", + "userInfo.username": "admin", + "userInfo.userRoles": ["admin", "user"], + "resourceInfo.type": "user", + "resourceInfo.name": "admin", + "requestInfo.serverUUID": "abc123", + "requestInfo.userAgent": "Mozilla/5.0" +} +``` + + +## Troubleshooting Tips + +- Check that your webhook endpoint is reachable from the Rundeck host. +- If using AWS SIGV4, make sure the IAM role or access keys have permissions. \ No newline at end of file diff --git a/docs/history/5_x/version-5.13.0.md b/docs/history/5_x/version-5.13.0.md new file mode 100644 index 000000000..3e18b4ff9 --- /dev/null +++ b/docs/history/5_x/version-5.13.0.md @@ -0,0 +1,121 @@ +--- + +title: "5.13.0 Release Notes" +date: 2025-06-25 +image: /images/chevron-logo-red-on-white.png +description: "Rundeck | Runbook Automation Releases 5.13.0 - New Job Metrics and ROI Graphs" +feed: + enable: true + description: "New Job Metrics and ROI Graphs" + +--- + +# 5.13.0 Release Notes + +## Overview + + +::: danger Important Security Update + +::: +A security vulnerability was identified and patched in the Enterprise Runner component where certain password patterns containing regex special characters (particularly multiple '+' characters) could bypass the password masking mechanism, potentially exposing sensitive information in error logs. This issue affected Enterprise Runner versions used with Process Automation 4.14.0 through 5.12.0, but did not impact Open Source Rundeck or the Process Automation server itself. The vulnerability has been remediated in version 5.13.0, which includes fixes in both the server and runner components to prevent exposure of secrets containing regex special characters. *Process Automation Self Hosted customers should upgrade both their server and all Enterprise Runners* to version 5.13.0 or later for complete remediation. Process Automation SaaS servers are already updated, customers should proceed directly to upgrading all their Enterprise Runners. + +[Full details on this page](/history/cves/2025-06-runner-security.md) + +### Job Metrics +The Job Metrics plugin provides comprehensive visualization and analysis of your Rundeck job execution patterns, success rates, and timing trends through an intuitive dashboard interface. + +![Job Metrics Example](/assets/img/relnotes-5130-alljobs.png)
+ +![Job Metrics Job Data](/assets/img/relnotes-5130-jobdata.png)
+ +### ROI Metrics + +The ROI Summary plugin brings your automation's financial impact to life through intuitive visualizations and real-time calculations, helping teams quantify and demonstrate the value of their automation initiatives. + +![Job Metrics Example](/assets/img/relnotes-5130-roisummary.png)
+ +![Job Metrics Job Data](/assets/img/relnotes-5130-roijob.png)
+ + +### Webhook Audit Listener + +The [Webhook Audit Listener plugin](/administration/security/audit-stream-plugin.md) enables real-time streaming of Rundeck audit events to external systems through configurable webhook endpoints. This allows teams to integrate Rundeck’s audit trail with external monitoring, logging, or security platforms. + +## Runbook Automation Updates + +> Also includes all Open Source updates from below + +### Additional Updates + + +* Add new UI for Job Metrics and ROI Metrics graphs +* Fix: Ansible Model Sources return host vars data in key=value format when "Gather Facts" is set to "no" +* Fix: Webhook events don't get deleted properly from DB +* Update vault-storage plugin version to 1.3.14 for CVE-2019-17571 +* Add MongoDB Node Step to allow Runner functionality + + +## Rundeck Open Source Product Updates + +* [Added new ansible-plugin release](https://github.com/rundeck/rundeck/pull/9675) +* [Fix: DELETE query type for stored events is ignored](https://github.com/rundeck/rundeck/pull/9668) +* [Update multiline-regex-datacapture-filter plugin to 1.1.2 for CVE-2019-17571](https://github.com/rundeck/rundeck/pull/9664) +* [Allow Audit Events Plugins to refresh config](https://github.com/rundeck/rundeck/pull/9658) +* [Upgrade Gradle to 7.6.2](https://github.com/rundeck/rundeck/pull/9657) +* [Upgrade asset-pipeline-grails lib version to 3.4.7](https://github.com/rundeck/rundeck/pull/9656) +* [upgrade go](https://github.com/rundeck/rundeck/pull/9652) +* [Fix/Add 72-char limit for BCRYPT passwords to address CVE-2025-22228](https://github.com/rundeck/rundeck/pull/9651) +* [Upgrade sshj plugin version for Security Fixes](https://github.com/rundeck/rundeck/pull/9649) +* [Update attribute match plugin to 0.2.1](https://github.com/rundeck/rundeck/pull/9648) +* [fix: blank string value for "Options" property type causes Exception](https://github.com/rundeck/rundeck/pull/9647) +* [Add project name to params to get plugin details](https://github.com/rundeck/rundeck/pull/9636) +* [Add autocomplete behavior to inputs and scripts](https://github.com/rundeck/rundeck/pull/9632) +* [NextUI: Add job activity list menu action ](https://github.com/rundeck/rundeck/pull/9615) +* [Upgrade selenium version to 4.31.0](https://github.com/rundeck/rundeck/pull/9323) + + +[Here is a link to the full list of public PRs](https://github.com/rundeck/rundeck/pulls?q=is%3Apr+milestone%3A5.13.0+is%3Aclosed) + +## Ansible Plugin Updates +* [Fix: Ansible Model Sources return host vars data in key=value format when "Gather Facts" is set to "no"](https://github.com/rundeck-plugins/ansible-plugin/pull/411) + + +## Links + +- Download the Releases: [Open Source](https://www.rundeck.com/community-downloads/5.13.0) | [Self-Hosted](https://www.rundeck.com/enterprise-downloads/5.13.0) +- [Sign up for Release Notes](https://www.rundeck.com/release-notes-signup) +- [Upgrade instructions](/upgrading/index.md) +- [Catch us on LinkedIn for the Live Stream Release Videos](https://www.linkedin.com/company/pagerduty/events) + +## Version Info + +Name: "Kirkjufell red headphones" + +Release Date: June 25th, 2025 + + +## Community Contributors + +Submit your own Pull Requests to get recognition here! + +* Rui Melo Amaro ([rmeloamaro](https://github.com/rmeloamaro)) + + +## Staff Contributors + +* Greg Schueler ([gschueler](https://github.com/gschueler)) +* Alexander Abarca ([alexander-variacode](https://github.com/alexander-variacode)) +* Alexander Grachtchouk ([mrdubr](https://github.com/mrdubr)) +* Carlos Eduardo ([carlosrfranco](https://github.com/carlosrfranco)) +* Eduardo Baltra ([edbaltra](https://github.com/edbaltra)) +* Forrest Evans ([fdevans](https://github.com/fdevans)) +* Jake Cohen ([jsboak](https://github.com/jsboak)) +* Jaya Singh ([jayas006](https://github.com/jayas006)) +* Julianna Green ([juliannagreen1](https://github.com/juliannagreen1)) +* Jason Brooks ([jbrookspd](https://github.com/jbrookspd)) +* Jesus Osuna ([Jesus-Osuna-M](https://github.com/Jesus-Osuna-M)) +* José Vásquez ([hiawvp](https://github.com/hiawvp)) +* Luis Toledo ([ltamaster](https://github.com/ltamaster)) +* Rodrigo Navarro ([ronaveva](https://github.com/ronaveva)) +* Sarah Martinelli Benedetti ([smartinellibenedetti](https://github.com/smartinellibenedetti)) \ No newline at end of file diff --git a/docs/history/cves/2025-06-runner-security.md b/docs/history/cves/2025-06-runner-security.md new file mode 100644 index 000000000..eb5d5ca6c --- /dev/null +++ b/docs/history/cves/2025-06-runner-security.md @@ -0,0 +1,82 @@ +--- +title: Password Exposure in Runner Logs +order: 70 +--- + +## Security Advisory: Password Masking Failure Exposing Secrets in Enterprise Runner Log Output + +A security vulnerability has been identified in the Enterprise Runner component (not affecting Open Source Rundeck or the Process Automation server itself) where certain password patterns containing regex special characters _(such as multiple '+' characters)_ can bypass the password masking mechanism, resulting in the exposure of sensitive information in error logs. + +### Description + +The Enterprise Runner's password masking functionality is bypassed when processing passwords or secrets containing invalid regex sequences (particularly patterns like `"+++"`). When this occurs, the error handling mechanism may expose sensitive information in the log output, including: + +* Job Option secrets (Password type inputs) +* Key storage values (such as SSH keys) +* Environment variables containing sensitive information (matching patterns like "token", "key", "pass", "password", "secret" - case insensitive) + +This vulnerability is triggered when a secret value contains specific regex special characters, particularly sequences like "+++" which may commonly appear in base64-encoded content such as PGP ASCII-armored keys. + +### Impact + +* **Affected Versions**: + * Enterprise Runner versions used with Process Automation 4.14.0 through 5.12.0 + * Note: This issue does not affect Open Source Rundeck or the Process Automation server itself +* **Scope**: + * Process Automation SaaS customers using Enterprise Runners + * Process Automation Self-Hosted customers using Enterprise Runners +* **Exposure**: The vulnerability only exposes secrets that are: + * Sent to the Enterprise Runner for specific step execution + * Present in Enterprise Runner environment variables + +**Note:** This bug does NOT expose all secrets stored in the Process Automation server or Runner, only those used in the running job and only in cases where the trigger condition, described previously, is present. + +### Patches + +The vulnerability has been remedied in Process Automation version 5.13.0. To fully resolve this issue: + +1. Upgrade Process Automation server to version 5.13.0 or later. + 1. This step is only for Self Hosted Customers. Runbook Automation SaaS portals are already updated to the latest version. + 2. Updating the server ensures that the messages that may contain a password are not shown in the GUI. + 3. This is also a pre-requisite to Step 2 as the server will then provide the updated Runner software. +2. Ensure all Enterprise Runners are upgraded to version 5.13.0 or later. + 4. This remediates the issue at the Runner from happening and ensures those steps successfully complete. + +### Workarounds + +Currently, there are no complete workarounds available. The server-side "Mask Passwords" log filter does not fully prevent the exposure of secrets in these error logs. + +### Interim Security Measures + +Until both upgrade steps are completed: + +1. Review your Enterprise Runner error logs for any potential exposure of sensitive information. +2. Monitor job executions that involve sensitive data, particularly those using SSH keys or base64-encoded secrets. +3. If possible, temporarily avoid using secrets containing multiple '+' characters or similar special characters. + +### For More Information + +If you have any questions or comments about this advisory: + +* Enterprise Customers can open a[ Support ticket](https://support.rundeck.com) +* Open Source versions of the product are not affected by this issue. + + +### FAQ (for docs web page) + +_What if I can’t update my Runners immediately?_ + + Fixes were provided in both the Server and Runner code bases. To help mitigate exposure at the Server Side any runner that emits the error message will have that message blocked by the Server. + +_How can I know if the error has happened in my environment previously?_ + + Searching logs for the following will highlight any potential exposure. + + * Searching for log messages containing both these strings: + * `Sidecar StackTrace: java.util.regex.PatternSyntaxException` + * and `RunnerMaskPasswordPlugin.generateRegEx` + * You can also simply search for `RunnerMaskPasswordPlugin.generateRegEx` but be aware of an earlier bug that may emit an error message with that text as well. This bug was fixed in 5.9.0, so any runners older than 5.9.0 would not have the message + +_How can I monitor or check for older versions of the Runner?_ + +A Runbook Automation administrator can login and navigate to the Runner Management panel. Any version older than `5.13-RBA-20250625` (SaaS) / `5.13.0-20250625` (Self-Hosted) should be updated. Use the Actions dropdown and click “Download Runner” and follow the prompts to Regenerate Credentials and download a new Runner instance. \ No newline at end of file diff --git a/docs/history/cves/CVE-2024-45338.md b/docs/history/cves/CVE-2024-45338.md index 1d59002cb..cb6786469 100644 --- a/docs/history/cves/CVE-2024-45338.md +++ b/docs/history/cves/CVE-2024-45338.md @@ -1,5 +1,5 @@ --- -order: 76 +order: 50 --- # CVE-2024-45338 diff --git a/docs/history/cves/cve-2023-34034.md b/docs/history/cves/cve-2023-34034.md new file mode 100644 index 000000000..fccafeb42 --- /dev/null +++ b/docs/history/cves/cve-2023-34034.md @@ -0,0 +1,41 @@ +--- +order: 375 +--- + +# CVE-2023-34034 + +::: danger FALSE POSITIVE + Rundeck and Runbook Automation are not vulnerable to this CVE. +::: + +## Overview + +Security scanners have incorrectly flagged Rundeck 5.X series as vulnerable to CVE-2023-34034. This is a false positive detection due to naming similarities between different security packages. + +## Technical Details + +Rundeck 5.X series uses: + +- Grails 6 +- Spring Security 5.8.15 (secure version) + +## Source of Confusion + +The false positive occurs due to similarly named JAR files in the WAR build: + +``` +583548 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-6.1.1.jar +494949 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-5.8.15.jar +``` + +## Important Clarification + +The `spring-security-core-6.1.1.jar` file is actually the Grails Security Plugin, not the Spring Security framework. Some security scanners mistakenly identify this as Spring Security 6.1.1, triggering the false CVE-2023-34034 alert. + +## Verification + +To confirm this is a false positive: + +1. The actual Spring Security implementation is version 5.8.15 +2. The 6.1.1 JAR file belongs to the Grails Security Plugin +3. Rundeck 5.X is not affected by CVE-2023-34034 \ No newline at end of file diff --git a/docs/history/cves/cve-2024-22257.md b/docs/history/cves/cve-2024-22257.md new file mode 100644 index 000000000..45eb47c1b --- /dev/null +++ b/docs/history/cves/cve-2024-22257.md @@ -0,0 +1,41 @@ +--- +order: 93 +--- + +# CVE-2024-22257 + +::: danger FALSE POSITIVE + Rundeck and Runbook Automation are not vulnerable to this CVE. +::: + +## Overview + +Security scanners have incorrectly flagged Rundeck 5.X series as vulnerable to CVE-2023-34034. This is a false positive detection due to naming similarities between different security packages. + +## Technical Details + +Rundeck 5.X series uses: + +- Grails 6 +- Spring Security 5.8.15 (secure version) + +## Source of Confusion + +The false positive occurs due to similarly named JAR files in the WAR build: + +``` +583548 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-6.1.1.jar +494949 Mon May 05 12:39:28 PDT 2025 WEB-INF/lib/spring-security-core-5.8.15.jar +``` + +## Important Clarification + +The `spring-security-core-6.1.1.jar` file is actually the Grails Security Plugin, not the Spring Security framework. Some security scanners mistakenly identify this as Spring Security 6.1.1, triggering the false CVE-2023-34034 alert. + +## Verification + +To confirm this is a false positive: + +1. The actual Spring Security implementation is version 5.8.15 +2. The 6.1.1 JAR file belongs to the Grails Security Plugin +3. Rundeck 5.X is not affected by CVE-2024-22257 \ No newline at end of file diff --git a/docs/history/cves/cve-2024-38827.md b/docs/history/cves/cve-2024-38827.md new file mode 100644 index 000000000..dc42deeb9 --- /dev/null +++ b/docs/history/cves/cve-2024-38827.md @@ -0,0 +1,22 @@ +--- +order: 70 +--- + +# CVE-2024-38827 + +## Description + +The vulnerability relates to the use of `String.toLowerCase()` and `String.toUpperCase()` in authorization logic, which may result in security bypass due to locale-dependent behavior. + +## Impact + +When using locale-sensitive string case conversion methods in security-critical code paths like role or authority checks, attackers could potentially bypass authorization controls in certain locales. This happens because character mappings between upper and lower case can differ across locales. + +## Assessment + +Our application uses Spring Security version 5.8.15, which is listed as affected in the official advisory. However, after code review, we did not identify any instances where `String.toLowerCase()` or `String.toUpperCase()` methods are used in role or authority checks within our codebase. + +## References + +- [NVD - CVE-2024-38827](https://nvd.nist.gov/vuln/detail/CVE-2024-38827) + diff --git a/docs/history/cves/cve-2024-45337.md b/docs/history/cves/cve-2024-45337.md index d5ddb9928..68fd050e0 100644 --- a/docs/history/cves/cve-2024-45337.md +++ b/docs/history/cves/cve-2024-45337.md @@ -1,5 +1,5 @@ --- -order: 77 +order: 60 --- # CVE-2024-45337 diff --git a/docs/history/cves/cve-2024-6104.md b/docs/history/cves/cve-2024-6104.md index 09344a96d..35d7dfbbf 100644 --- a/docs/history/cves/cve-2024-6104.md +++ b/docs/history/cves/cve-2024-6104.md @@ -1,5 +1,5 @@ --- -order: 91 +order: 95 --- # CVE-2024-6104 diff --git a/docs/history/cves/index.md b/docs/history/cves/index.md index ea306463c..fc2883dbf 100644 --- a/docs/history/cves/index.md +++ b/docs/history/cves/index.md @@ -12,6 +12,8 @@ Below is a collection of security notices previously filed for Rundeck and Runbo These are the Security Advisories Rundeck has issued in the past. It is always recommended to upgrade to the current version of Rundeck ({{$rundeckVersion}}) for the latest security updates. +* [Runner Security Issue - June 2025](2025-06-runner-security.md)
+ Password Masking Failure Exposing Secrets in Enterprise Runner Log Output. * [CVE-2023-48222](cve-2023-48222.md)
Authenticated users can view or delete jobs for which they do not have authorization. * [CVE-2023-47112](cve-2023-47112.md)
@@ -38,11 +40,14 @@ These are the Security Advisories Rundeck has issued in the past. It is always * [CVE-2020-0187 Android 10 Finding](cve-2020-0187.md). * [CVE-2022-45868 H2 DB false positive](cve-2022-45868.md). * [CVE-2022-1471 SnakeYAML false positive](cve-2022-1471.md). +* [CVE-2023-34034 Spring Security False Positive](cve-2023-34034.md). * [CVE-2024-1597 Postgres JDBC Driver Vulnerability](cve-2024-1597.md). * [CVE-2024-6104 go-retryablehttp can leak basic auth credentials to log files](cve-2024-6104.md). +* [CVE-2024-22257 Spring Security False Finding](cve-2024-22257.md). * [CVE-2023-39017 Quartz Scheduler false positive](cve-2023-39017.md). * [CVE-2024-24786 Protobuf finding in Remco](cve-2024-38807.md). * [CVE-2024-38807 Spring Boot false positive](cve-2024-38807.md). * [CVE-2024-38816 Path traversal vulnerability in functional web frameworks](cve-2024-38816.md). * [CVE-2024-38819 Path traversal vulnerability in functional web frameworks #2](cve-2024-38819.md). +* [CVE-2024-38827 Locale-sensitive string case conversion methods](cve-2024-38827.md). * [CVE-2024-45338 golang/x/net 0.20.0](cve-2024-38819.md). \ No newline at end of file diff --git a/docs/history/release-calendar.md b/docs/history/release-calendar.md index 95a5557a2..72e6f655f 100755 --- a/docs/history/release-calendar.md +++ b/docs/history/release-calendar.md @@ -9,6 +9,7 @@ Upgrade instructions [can be found here](/upgrading/index.md). | Release Version | Release Date | Enterprise Support Status | |------------------------------------------|----------------------|---------------------------| +| [5.13.0](/history/5_x/version-5.13.0.md) | June 25th, 2025 | Supported | | [5.12.0](/history/5_x/version-5.12.0.md) | May 7th, 2025 | Supported | | [5.11.1](/history/5_x/version-5.11.1.md) | April 16th, 2025 | Supported | | [5.11.0](/history/5_x/version-5.11.0.md) | April 9th, 2025 | Supported |