Rancher Backup Operator pod's logs leak S3 tokens

Vulnerability

Overview

The Rancher Backup Operator, used for backing up and restoring Rancher on Kubernetes clusters, contains a vulnerability that causes S3 credentials (accessKey and secretKey) to be written into the operator pod's logs. The S3 accessKey is logged even with default settings (trace: false, debug: false), while the secretKey appears when trace or debug is enabled [3]. This leakage stems from insufficient redaction of sensitive information in log output.

Exploitation

Prerequisites

No special privileges are needed beyond access to the rancher-backup-operator pod logs. An attacker with read access to the cluster logs (e.g., through kubectl logs, log aggregation systems, or compromised monitoring tools) can retrieve the exposed credentials. The attack surface is broadened if logs are exported to external storage [3].

Impact

Successful exploitation allows an attacker to obtain valid S3 accessKey and secretKey tokens. With these credentials, an attacker could access the S3 bucket used for Rancher backups, potentially reading, modifying, or deleting backup data. This could lead to data breach, backup tampering, or disruption of disaster recovery capabilities [1][3].

Mitigation

Patched versions (108.0.1+up9.0.1, 107.1.2+up8.1.2, 106.0.6+up7.0.5, 105.0.6+up6.0.3) apply redaction to prevent credential leakage [3]. Users should upgrade immediately and rotate affected S3 tokens. For environments that cannot upgrade, setting both debug and trace to false reduces exposure, but does not eliminate the accessKey leak [3].