Hey all,
We want to ensure Sensu users are aware of a potential security vulnerability discovered recently. It impacts all Sensu versions earlier than 1.2.1 and its full description is here 1. In a nutshell, if you have passwords in your configuration, there’s a chance they’re not redacted when configuration is printed in Sensu service logs (/var/log/sensu).
For what it’s worth, this behavior of the redact method has been working in this way for 5 years, so we are reasonably confident it hasn’t been a major concern to users. Also remember users would need access to /var/log/sensu in order to view these logs. That said, we want to take this seriously and get the information to you promptly.
Please update if this concerns. Direct download to 1.2.1 is here 2.
All the best,
Matt
VP Community, Sensu