On Monday, September 13, Travis CI put out a security bulletin obliquely mentioning a security problem. "As a reminder from the Support Team, cycling your secrets is something that all users should do on a regular basis per your company's security process. If you are unsure how to do this please contact Support and we would be happy to help you."
That wasn't much to go on until our friend and researcher Ax Sharma published a detailed history and description of the flaw in his article, "Travis CI flaw exposed secrets of thousands of open source projects". Ax explains, "Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds."
Our internal story
The engineering team at JupiterOne saw the article and checked our systems to see to what degree we are using TravisCI for our public repos. It turns out, we haven't used it in a while, so there wasn't much concern on our end. While we weren't at risk, we had to also make sure our customers were not affected either.
J1 Query: Were you affected?
As we thought it through, the question we think most J1 users will find most useful is, "Which PRs were created by users who are not members of my GitHub org that could have exposed secrets from Travis CI?". This type of query will help identify which PRs were created by unknown authors (e.g. authors that are not members of your GitHub organization) during the time that the vulnerability could have been exposed. You will want to audit each commit from those PRs to determine whether a bad actor attempted to access credentials from a Travis build.
WITH name~=('travis' OR 'Travis')
THAT INSTALLED github_account
THAT OWNS github_repo
THAT HAS github_pullrequest
/* 9/03/2021 */
WITH _createdOn >= 1630627200000
/* 9/11/2021 */
AND _createdOn <= 1631318400000
AND author != undefined and author != ''
/* This is an unknown (e.g. untrusted) user */
THAT !OPENED github_user
What you can do
For existing JupiterOne users who have enabled GitHub integration, you can run the query to interrogate your system for the vulnerability. Not a current JupiterOne user? You can run the query immediately when you register for your free, lifetime license. You'll get immediate access to the platform and can quickly find these issues and more.
The JupiterOne: Rapid Response Series provides immediate visibility into publicly announced issues that might be affecting the security of your systems. To be notified when a new update is published, sign up for our newsletter. No spam, just the good stuff once or twice a month. Sign up below.