During a commissioned pentesting of Lemur version 0.8.0 (a Netflix OSS project, available here), three vulnerabilities were identified in Lemur’s codebase.
At a high level, the vulnerabilities enable an authenticated user to retrieve/access unauthorized information, including private keys.
See Netflix/lemur#3463 for any further details.
Presently, we have no reason to believe that these vulnerabilities have been exploited. Evidence of access to sensitive information would be visible in standard HTTP request logs.
We have already prepared the patches to fix these vulnerabilities, and will be raising PRs to Lemur’s Github repository one week from today. On the same day, we will release a new version of Lemur (0.9.0) which will contain the patches. We recommend that all Lemur users upgrade immediately after version 0.9.0 has been released. We may publicly disclose the issues in more detail at a future date.