See blog Menu
HashiCorp Terraform Security Update

dominick.caponi | April 27th, 2021


Recommended Actions - Update your Terraform and CodeCov software ASAP

Synopsis

Late last week it was brought to our attention that CodeCov suffered an attack in which attackers gained access to their bash uploader script and modified it without CodeCov’s permission. This enabled hackers to modify the script and monitor data as it was uploaded to CodeCov including secrets, that were used in the CI pipeline.

HashiCorp uses CodeCov’s uploader and as a result, their GPG signing key was exposed. This means a hacker can sign binaries on behalf of HashiCorp and there would be no way of knowing which binaries are legitimate from HashiCorp and which are tampered with.

Status

CodeCov has taken action to remedy the situation, as has HashiCorp. HashiCorp in particular has re-rolled their GPG signing keys and are now recommending that all HashiCorp users download the patched versions of Terraform (or any other HashiCorp software).

Is OneLogin’s Provider Affected

HashiCorp has informed us that our provider is NOT IMPACTED. You are encouraged to update Terraform to have the version signed with the new GPG key.

Questions?

Feel free to reach out or get in touch with us via the Terraform provider Github Repository.

Supporting Material

CodeCov Disclosure

HashiCorp Disclosure


OneLogin blog author

Dominick is a Senior Software Engineer building a community around OneLogin’s open-source projects, heading up API development, and building cutting-edge developer tools that empower developers to make authentication and access managment easy.