With Great Community …
… Comes Great Responsibility
There is not a single day when we aren’t proud of our community and inspired by the many people using Traefik. One of our greatest accomplishments with Traefik is its simplicity: making it possible for everyone to run microservices architecture with ease.
But, with so many people using Traefik, we realized that it’s not only important to make sure that best practices are well documented, but that the time has come to think about ways to enforce best practices.
Recently, we were made aware that some users had misconfigured instances of Traefik, which could have exposed sensitive data: Traefik embeds a dashboard that lets administrators see the existing routes (and, their parameters). And, if this dashboard (and its APIs) was enabled and was made public (no protection, and accessible from the outside), then potential attackers would have been able to access sensitive configuration data.
In both cases, we released a fix as quickly as possible, and made a CVE (CVE-2019–12452, CVE-2018–15598) to disclose the information.
“Even though we don’t like stumbling onto security issues, running an open-source project means being open and transparent about what’s happening.”
Am I Impacted by This CVE?
You are impacted if you meet all the following criteria:
- Running Traefik v1.7.11 or older,
- And, the API is enabled (either with the directive
[api]
intraefik.toml
, with the command line flag--api
, or with the deprecated directive[web]
intraefik.toml
), - And, the API is not secured with authentication (but should be, see the documentation),
- And, the API is exposed on a non trusted network.
In this case, we recommend you to do the following:
- Update to the latest stable version of Traefik (1.7.12),
- Not expose the API/Dashboard (or, to disable it),
- Configure the authentication if you need the API/Dashboard to be accessible.
Combining User Experience with Security
Having a user-friendly dashboard is one of the praised features of Traefik, but it’s our responsibility to make sure people can’t misconfigure it in a potentially harmful way.
We’ve started a discussion here to find better ways to let our users enjoy a full-featured dashboard, but in a way that enforces security, and that doesn’t enable this feature unless using proper credentials.
In the meantime, once again, never ever expose your Traefik dashboard/API to the outside with no protection.
We also want to use this opportunity to tell our users enabling the access log option to remember to filter/redact sensitive data. Please, validate your configuration and make sure you don’t log sensible data.
# example of how to keep / redact / drop data from the logs
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
# ...
(Thanks goes to captn3m0 for making sure we added this reminder about logs.)
References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12452
- Traefik Release with the fix: https://github.com/containous/traefik/releases/tag/v1.7.12
- Traefik’s Documentation for Securing the API/Dashboard: https://docs.traefik.io/operations/api/
- Announcement on Traefik’s Security Mailing List: https://groups.google.com/a/traefik.io/forum/#!topic/security/Hez9dsOFCA4
- Discussion about the Dashboard/API features and security: https://github.com/containous/traefik/issues/4934