Headline
CVE-2022-39395: Reference
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela Server and Vela Worker prior to version 0.16.0 and Vela UI prior to version 0.17.0, some default configurations for Vela allow exploitation and container breakouts. Users should upgrade to Server 0.16.0, Worker 0.16.0, and UI 0.17.0 to fix the issue. After upgrading, Vela administrators will need to explicitly change the default settings to configure Vela as desired. Some of the fixes will interrupt existing workflows and will require Vela administrators to modify default settings. However, not applying the patch (or workarounds) will continue existing risk exposure. Some workarounds are available. Vela administrators can adjust the worker’s VELA_RUNTIME_PRIVILEGED_IMAGES
setting to be explicitly empty, leverage the VELA_REPO_ALLOWLIST
setting on the server component to restrict access to a list of repositories that are allowed to be enabled, and/or audit enabled repositories and disable pull_requests if they are not needed.
This section contains a reference of configuration options for the Vela server service.
Components
The server is made up of several components, responsible for specific tasks, necessary for the service to operate:
Name
Description
compiler
transforms a pipeline into an executable workload for the worker
database
integrates with a database provider for storing application data at rest
queue
integrates with a queue provider for pushing workloads that will be run by a worker
secret
integrates with a secret provider for storing sensitive application data at rest
source
integrates with a source control management (SCM) provider for authentication and authorization
Required
This section contains a list of all variables that must be provided to the server.
VELA_ADDR
This variable sets a fully qualified URL to the Vela server address.
The variable should be provided as a string.
VELA_DATABASE_ENCRYPTION_KEY
This configuration variable is used by the database component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets the AES key for encrypting/decrypting values for data stored in the database.
The variable should be provided as an string.
VELA_QUEUE_ADDR
This configuration variable is used by the queue component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets a fully qualified URL to the queue instance for pushing workloads that will be run by a worker.
The variable should be provided as a string.
VELA_QUEUE_DRIVER
This configuration variable is used by the queue component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets the driver to use for the queue functionality for the server.
The variable should be provided as a string.
VELA_SCM_CLIENT
This configuration variable is used by the SCM component for the server.
This variable sets the client ID from the OAuth application created on the SCM system.
The variable should be provided as a string.
VELA_SCM_SECRET
This configuration variable is used by the SCM component for the server.
This variable sets the client secret from the OAuth application created on the SCM system.
The variable should be provided as a string.
VELA_SECRET
This variable sets a shared secret with the Vela worker for authenticating communication between workers and the server.
The variable should be provided as a string.
Optional
This section contains a list of all variables that can be provided to the server.
VELA_ACCESS_TOKEN_DURATION
This variable sets the maximum duration of time a Vela access token for a user is valid on the server.
The access token is used for authenticating user’s requests to the server.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_COMPILER_GITHUB
This configuration variable is used by the compiler component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable enables using GitHub or GitHub Enterprise Server as a registry for fetching pipeline templates from.
By default, Vela will use GitHub as a registry for fetching templates.
However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.
The variable can be provided as a boolean.
VELA_COMPILER_GITHUB_TOKEN
This configuration variable is used by the compiler component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets a Personal Access Token (PAT) for fetching pipeline templates from GitHub or GitHub Enterprise Server.
By default, Vela will use GitHub as a registry for fetching templates.
However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.
The variable can be provided as a string.
VELA_COMPILER_GITHUB_URL
This configuration variable is used by the compiler component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets a fully qualified URL to GitHub or GitHub Enterprise Server used for fetching pipeline templates from.
By default, Vela will use GitHub as a registry for fetching templates.
However, to fetch templates from a private organization or repository on GitHub, you need to provide this configuration.
The variable can be provided as a string.
VELA_DATABASE_ADDR
This configuration variable is used by the database component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets a fully qualified URL to the database instance for storing data at rest.
The variable can be provided as a string.
VELA_DATABASE_COMPRESSION_LEVEL
This configuration variable is used by the database component for the server.
This variable sets the level of compression for workload logs, uploaded by the Vela worker, which are stored in the database.
The variable can be provided as an integer.
VELA_DATABASE_CONNECTION_IDLE
This configuration variable is used by the database component for the server.
This variable sets the maximum number of idle connections allowed for the database client.
The variable can be provided as an integer.
VELA_DATABASE_CONNECTION_LIFE
This configuration variable is used by the database component for the server.
This variable sets the maximum duration of time a connection is reusable for the database client.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_DATABASE_CONNECTION_OPEN
This configuration variable is used by the database component for the server.
This variable sets the maximum number of open connections allowed for the database client.
The variable can be provided as an integer.
VELA_DATABASE_DRIVER
This configuration variable is used by the database component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets the driver to use for the database functionality for the server.
The variable can be provided as a string.
VELA_DATABASE_SKIP_CREATION
This configuration variable is used by the database component for the server.
This variable enables skipping the creation of tables and indexes in the database system.
The variable can be provided as a boolean.
VELA_DEFAULT_BUILD_LIMIT
This variable sets the default amount of concurrent builds a repo is allowed to run.
In this context, concurrent builds refers to any pending or running builds for that repo.
If the amount of concurrent builds for a repo matches the limit, then any new builds will be blocked from being created.
The variable can be provided as an integer.
VELA_DEFAULT_BUILD_TIMEOUT
This variable sets the default duration of time a build is allowed to run on a worker.
The variable can be provided as an integer.
VELA_DISABLE_WEBHOOK_VALIDATION
This variable disables validation of webhooks sent by the SCM to the server.
The variable can be provided as a boolean.
VELA_ENABLE_SECURE_COOKIE
This enables using cookies with the secure flag set by the server.
The variable can be provided as a boolean.
VELA_MAX_BUILD_LIMIT
This variable sets the maximum amount of concurrent builds a repo is allowed to run.
In this context, concurrent builds refers to any pending or running builds for that repo.
If the amount of concurrent builds for a repo matches the limit, then any new builds will be blocked from being created.
The variable can be provided as an integer.
VELA_MODIFICATION_ADDR
This configuration variable is used by the compiler component for the server.
This variable sets a fully qualified URL to the modification endpoint used for the compiler.
The variable can be provided as a string.
VELA_MODIFICATION_RETRIES
This configuration variable is used by the compiler component for the server.
This variable sets the maximum number of times to resend failed requests to the modification endpoint for the compiler.
The variable can be provided as an integer.
VELA_MODIFICATION_SECRET
This configuration variable is used by the compiler component for the server.
This variable sets a shared secret for authenticating communication between the compiler and the modification endpoint.
The variable can be provided as a string.
VELA_MODIFICATION_TIMEOUT
This configuration variable is used by the compiler component for the server.
This variable sets the maximum duration of time the compiler will wait before timing out requests sent to the modification endpoint.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_PORT
This variable sets the port the server API responds on for HTTP requests.
The variable can be provided as a string.
VELA_QUEUE_CLUSTER
This configuration variable is used by the queue component for the server.
This variable enables the server to connect to a queue cluster rather than a standalone instance.
The variable can be provided as a boolean.
VELA_QUEUE_POP_TIMEOUT
This configuration variable is unused by the queue component for the server.
This variable sets the maximum duration of time the worker will wait before timing out requests sent for pushing workloads.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_QUEUE_ROUTES
This configuration variable is used by the queue component for the server.
This variable sets the unique channels or topics to push workloads to.
The variable can be provided as a comma-separated list (i.e. myRoute1,myRoute2).
VELA_REFRESH_TOKEN_DURATION
This variable sets the maximum duration of time a Vela refresh token for a user is valid on the server.
The refresh token is used for refreshing a user’s access token on the server.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_REPO_ALLOWLIST
This variable sets a group of repositories, from the SCM, that can be enabled on the server.
The variable can be provided as a comma-separated list (i.e. myOrg1/myRepo1,myOrg1/myRepo2,myOrg2/*).
VELA_SCM_ADDR
This configuration variable is used by the SCM component for the server.
This variable sets a fully qualified URL to the source control management (SCM) system.
The variable can be provided as a string.
VELA_SCM_CONTEXT
This configuration variable is used by the SCM component for the server.
This variable sets the message to set in the commit status on the SCM system.
The variable can be provided as a string.
VELA_SCM_DRIVER
This configuration variable is used by the SCM component for the server.
This variable sets the driver to use for the SCM functionality for the server.
The variable can be provided as a string.
VELA_SCM_SCOPES
This configuration variable is used by the SCM component for the server.
This variable sets the permission scopes to apply for OAuth credentials captured from the SCM system.
The variable can be provided as a comma-separated list (i.e. myScope1,myScope2).
VELA_SCM_WEBHOOK_ADDR
This configuration variable is used by the SCM component for the server.
This variable sets a fully qualified URL on the SCM system to send webhooks to the server.
The variable can be provided as a string.
VELA_SECRET_VAULT
This configuration variable is used by the secret component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable enables using HashiCorp Vault as a secret engine.
The variable can be provided as a boolean.
VELA_SECRET_VAULT_ADDR
This configuration variable is used by the secret component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets a fully qualified URL to the HashiCorp Vault instance.
The variable can be provided as a string.
VELA_SECRET_VAULT_AUTH_METHOD
This configuration variable is used by the secret component for the server.
This variable sets the authentication method to obtain a token from the HashiCorp Vault instance.
The variable can be provided as a string.
VELA_SECRET_VAULT_AWS_ROLE
This configuration variable is used by the secret component for the server.
This variable sets the HashiCorp Vault role to connect to the auth/aws/login endpoint.
The variable can be provided as a string.
VELA_SECRET_VAULT_PREFIX
This configuration variable is used by the secret component for the server.
This variable sets the prefix for k/v secrets in the HashiCorp Vault instance.
The variable can be provided as a string.
VELA_SECRET_VAULT_RENEWAL
This configuration variable is used by the secret component for the server.
This variable sets the frequency to renew the token for the HashiCorp Vault instance.
The variable can be provided as a duration (i.e. 5s, 10m).
VELA_SECRET_VAULT_TOKEN
This configuration variable is used by the secret component for the server.
Examples using this configuration variable are provided in the above reference documentation.
This variable sets the token for accessing the HashiCorp Vault instance.
The variable can be provided as a string.
VELA_SECRET_VAULT_VERSION
This configuration variable is used by the secret component for the server.
This variable sets the version for the k/v backend for the HashiCorp Vault instance.
The variable can be provided as a string.
VELA_WEBUI_ADDR
This variable sets a fully qualified URL to the Vela UI address.
The variable can be provided as a string.
VELA_WEBUI_OAUTH_CALLBACK_PATH
This variable sets the endpoint to use for the OAuth callback path for the Vela UI.
The variable can be provided as a string.
VELA_WORKER_ACTIVE_INTERVAL
This variable sets the interval of time the workers will be considered active. A worker is considered active if it has registered with the server inside the give duration.
The variable can be provided as a duration (i.e. 5s, 10m).
Related news
### Impact Some current default configurations for Vela allow exploitation and container breakouts. #### Default Privileged Images Running Vela plugins as privileged Docker containers allows a malicious user to easily break out of the container and gain access to the worker host operating system. On a fresh install of Vela without any additional configuration, the `target/vela-docker` plugin will run as a privileged container, even if the Vela administrators did not intend to allow for any privileged plugins, and even if the `vela.yml` configuration file does not use the `privileged = True` flag. Privileged containers permit trivial breakouts, which can pose significant risk to the environment in which Vela is running. #### Default Allowed Repositories On a fresh install of Vela, anyone with a GitHub account (or other enabled source control management solution) is allowed to enable a repository within Vela and run builds. This means that, if a Vela instance is accessible to the pu...