Introduction
Terraform Enterprise manages cloud infrastructure by executing complex configurations. These configurations can be susceptible to publicly disclosed security vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs).
When you discover a CVE in your Terraform Enterprise instance, you should begin an investigation to assess its potential impact, determine the necessary remediation steps, and evaluate the overall risk to your infrastructure.
Procedure
Follow these steps to investigate and remediate potential vulnerabilities.
-
Identify Flagged CVEs
Identify the specific CVEs flagged in your security scan. These typically have a unique identifier, such as
CVE-2023-1234. -
Assess Impact and Severity
Use the following resources to determine the impact and severity of each CVE. Document any necessary actions, such as upgrading Terraform Enterprise, updating the Terraform CLI version, changing configurations, or implementing workarounds.
- HashiCorp Security Bulletins and Announcements
- HashiCorp Discus Security Page
- National Vulnerability Database
- Terraform Enterprise Release notes
If your infrastructure is hosted on a cloud platform like AWS, Azure, or GCP, check for security advisories from those providers as well.
-
Create and Implement a Remediation Plan
Draft and implement an action plan to remediate the identified vulnerabilities based on your assessment.
-
Verify Remediation
After you complete the remediation steps, re-scan your infrastructure or perform manual checks to ensure the CVEs are no longer present.