Introduction
Terraform Enterprise manages cloud infrastructure through the execution of complex configurations. These configurations can be susceptible to publicly disclosed security vulnerabilities known as Common Vulnerabilities and Exposures (CVEs).
Upon discovering CVEs within Terraform Enterprise, administrators should begin an investigation to assess the potential impact, determine necessary remediation steps, and evaluate the overall risk to the infrastructure.
Recommendations
The guidance below is not fully comprehensive, but may be used as a beginning point for assessment.
- Identify the specific CVEs flagged in the security scan. These typically have a unique identifier (e.g., CVE-2023-1234).
- Using the following resources as a starting point, determine the impact and severity of each CVE. Document any necessary actions. This may include steps like upgrading to a new version of TFE or the Terraform CLI version used, making changes to configurations, or implementing workarounds.
-
-
- HashiCorp Security Bulletins and Announcements
- HashiCorp Discus Security Page
- National Vulnerability Database
- If infrastructure is hosted on a cloud platform (e.g., AWS, Azure, GCP), check for security advisories from those providers.
- Terraform Enterprise Release notes
-
-
- Draft and implement an action plan for remediation.
- Once remediation steps are complete, re-scan infrastructure or perform manual checks to ensure the CVEs are no longer present.
If assistance is needed, please open a ticket with HashiCorp Support and include as much of the following information as possible
- Specify the name and version of the security scanner that detected the CVE(s).
- Include Terraform Enterprise Version.
- If possible, attach the complete scan results, otherwise specify the detected CVE(s) and include relevant logs or reports generated by the scanner.