Security Advisory: Secrets in Validator Logs
Summary
The Canton Network has issued a security advisory warning that sensitive credentials, like PostgreSQL passwords and Ledger API tokens, could be exposed in plaintext within validator application logs under specific conditions. This exposure occurs if a validator uses additional DARs deployed via the `.appDars` Helm value or the `SPLICE_APP_DARS` environment variable AND has DEBUG-level logging enabled. Users are urged to immediately set their log level to INFO or higher and rotate any potentially...
Security Advisory — Potential secrets exposure in validator logs
We have identified an issue where sensitive credentials (such as your PostgreSQL password and Ledger API auth token) may be written in plaintext to validator application logs. This only occurs under a specific combination of conditions described below.
Who is affected?
You may be affected if both of the following are true:
1. Your validator deployment uses additional DARs beyond the standard Splice dars, AND you deployed those dars via the .appDars Helm value OR by manually setting the SPLICE_APP_DARS environment variable to a non-null value. (Uploading additional DARs via other means does not make you affected.)
2. DEBUG-level logging is enabled for the validator app.
- Helm deployments: DEBUG logging is on by default.
- Docker Compose deployments: The default log level was changed from DEBUG to INFO in Splice 0.5.10.
What should I do?
1. Immediately ensure your validator app log level is set toINFO or above. This stops any further exposure.
If you believe your deployment matched both conditions above, we recommend rotating the following secrets:
- PostgreSQL database password
- Ledger API auth token
- Any other secrets you may have added as environment variables on the validator app deployment
Fix
This issue has been resolved in splice#4230 and will be included in the upcoming 0.5.14 release.
|| @Dev Announcements @Canton Builder ||
