Matillion Security Advisory: Potential credentials in Matillion ETL log file

Matillion Security Advisory: Potential credentials in Matillion ETL log file


Affected Products: Matillion ETL for Snowflake

Affected Platforms: Microsoft Azure, Amazon Web Services (AWS)

Affected Versions: 1.44

Risk Level: Low

 

Details

A product defect in version 1.44 of Matillion ETL for Snowflake can cause credentials to be logged into log files in /var/log/tomcat/ or Amazon Cloudwatch (where configured). This affects users who are using any data loading component configured not to use Snowflake Managed Storage (which is the default setting).

Where users are using instance credentials for AWS and Azure the logged credentials are short lived (24 hours for Azure). Where users are using User Defined Credentials these credentials may have been logged and therefore it would be a sensible precaution to rotate the keys associated with the user or IAM role.

The affected log files could contain a line the follows the pattern:
 

com.matillion.bi.emerald.server.snowflake.staging.SnowflakeStager.loadTableSql COPY Statement: COPY INTO "<database>"."<schema>"."<table>" (<columns>)
 

FROM 's3://<bucket Name>/<uuid>' CREDENTIALS = (XXXXXX) FILE_FORMAT=(TYPE='CSV'FIELD_DELIMITER='\t' COMPRESSION='GZIP' TIMESTAMP_FORMAT='auto' DATE_FORMAT='auto' TIME_FORMAT='auto' TRIM_SPACE=TRUE NULL_IF=('\\N') EMPTY_FIELD_AS_NULL=FALSE)

ON_ERROR=ABORT_STATEMENT TRUNCATECOLUMNS=TRUE
 

Where XXXXXX displays AWS and Azure credentials in full.
 

Remediation

Update Matillion. Customers happy to update to the latest version of Matillion ETL for Snowflake (1.46) this can be done via the appropriate update route described here:

https://snowflake-support.matillion.com/s/article/2975839

For any customer who wishes to apply fixes to version 1.44 only please update to version 1.44.15 or later using the steps described here.

https://redshift-support.matillion.com/s/article/2960946