January 28, 2025

A security vulnerability has been identified in PingOne Advanced Identity Cloud Sandbox Environments. This issue was introduced on 3rd January 2025 and remediated on 22nd January 2025.

Issue #202501-01

Description:

A medium severity Information Exposure (CWE-532) vulnerability has been identified in PingOne Advanced Identity Cloud. This issue was introduced on 3rd January 2025 and remediated on 22nd January 2025.

In Sandbox environments, secrets stored in Environment-Specific Variables (ESVs) were improperly logged to isolated GCP tenant logs during application start-up. These secrets could have been exposed to customer internal employees of the affected tenant who have access to tenant logs, even if they lack privileges to view or edit ESV secrets within the sandbox environment.

Additionally, if customers have configured their sandbox logs to be ingested into their own internal systems, such as a Security Information and Event Management (SIEM) solution or other log aggregation tools, these secrets could also have been inadvertently logged within those systems.

Resolution:

An update was applied to all environments on 22nd January 2025 which resolves this issue.

Customers utilizing the add-on sandbox capability are strongly advised to rotate all Environment-Specific Variables (ESVs) in their sandbox environments. For detailed instructions, please refer to the PingOne Advanced Identity Cloud documentation:
Rotate keys in mapped ESV secrets .

Customers that use log tailing or otherwise ingest logs from their sandbox environments are encouraged to consider purging logs from their internal systems where they have been written during the affected time period (3rd January 2025 up to and including 22nd January 2025).

See Also:

CWE-532 

Change Log

The following table tracks changes to the security advisory: