Matillion Security Advisory: Potential credentials in Matillion ETL log file
Affected Products: Matillion ETL for Snowflake
Affected Platforms: Microsoft Azure, Amazon Web Services (AWS)
Affected Versions: 1.44
Risk Level: Low
A product defect in version 1.44 of Matillion ETL for Snowflake can cause credentials to be logged into log files in /var/log/tomcat/ or Amazon Cloudwatch (where configured). This affects users who are using any data loading component configured not to use Snowflake Managed Storage (which is the default setting).
Where users are using instance credentials for AWS and Azure the logged credentials are short lived (24 hours for Azure). Where users are using User Defined Credentials these credentials may have been logged and therefore it would be a sensible precaution to rotate the keys associated with the user or IAM role.
The affected log files could contain a line the follows the pattern:
com.matillion.bi.emerald.server.snowflake.staging.SnowflakeStager.loadTableSql COPY Statement: COPY INTO "<database>"."<schema>"."<table>" (<columns>)
FROM 's3://<bucket Name>/<uuid>' CREDENTIALS = (XXXXXX) FILE_FORMAT=(TYPE='CSV'FIELD_DELIMITER='\t' COMPRESSION='GZIP' TIMESTAMP_FORMAT='auto' DATE_FORMAT='auto' TIME_FORMAT='auto' TRIM_SPACE=TRUE NULL_IF=('\\N') EMPTY_FIELD_AS_NULL=FALSE)
Where XXXXXX displays AWS and Azure credentials in full.
Update Matillion. Customers happy to update to the latest version of Matillion ETL for Snowflake (1.46) this can be done via the appropriate update route described here:
For any customer who wishes to apply fixes to version 1.44 only please update to version 1.44.15 or later using the steps described here.