Important Advisory: PagerDuty Process Automation On Prem / Rundeck Key Pair Misconfiguration

Dear Community,

Yesterday we posted a Security Advisory to Github for a critical vulnerability in Rundeck Community and Rundeck Enterprise Docker images, versions 4.0 and earlier. Those Docker images contained a pre-generated SSH key pair in the default file path. If that key was used to configure SSH access to hosts, they would allow access to anyone with the exposed private key.

This misconfiguration only impacts Rundeck Docker instances of PagerDuty® Process Automation On Prem (formerly Rundeck) version 4.0 and earlier, not Debian, RPM or .WAR. Additionally, the file would have to be copied from the Docker image filesystem contents without overwriting it and copied to authorized_keys files on remote hosts.

If you think you may be impacted, use one of these options to scan your hosts for the exposed keys, delete any you find, and replace them with a new SSH key pair. You can find more information about the issue and resources for remediation here.