CockroachDB Technical Alert 01-22-2020

CockroachDB Technical Alert

We’ve launched a process of alerting our users about important issues within CockroachDB. We’ll post to the forum when we discover issues that may impact many users. Please reach out to our support team with any questions.

Advisory 42567 - HTTP endpoint vulnerability

Description

Prior to versions 2.1.10 / 19.1.6 / 19.2.2, CockroachDB was allowing non-authenticated access to privileged HTTP endpoints like /_admin/v1/events that internally operate with the privileges of the CockroachDB user root.

Additionally, it was internally using root privileges to render certain Admin UI pages for logged-in but non-admin users.

Statement

This was a security vulnerability, because these endpoints and Admin UI pages operate using the permissions of the root CockroachDB user and could thus access (and sometimes modify) arbitrary stored data in the cluster and files in the data directories.

This issue was fixed in patch revisions 2.1.10, 19.1.6, and 19.2.2 by requiring a valid authentication by an admin user and rendering Admin UI pages using the credentials of the logged-in user. All users of 2.1 or later are invited to upgrade their deployments immediately.

The issue also exists in versions 2.0.x and prior. However, up to and including version 2.0.x, the HTTP endpoint was not advertised safe for use on non-privileged networks. Additionally, versions 2.0 and prior have reached end-of-life. All users are invited to upgrade to 2.1.10 or, preferably, a later version.

This issue is tracked internally as https://github.com/cockroachdb/cockroach/issues/42567

Mitigation

Affected sites can mitigate the vulnerability by firewalling access to the HTTP endpoint.

Impact

All deployments up to and excluding revisions 2.1.9, 19.1.5, and 19.2.1, and where the CockroachDB HTTP port is exposed on unprivileged networks, are affected.

Vulnerable deployments risk exposing privileged data to non-privileged users. A full list of the affected HTTP endpoints and which type of data is exposed is provided here.

Advisory 43870 - HTTP authentication

Description

Following the fix for Advisory 42567, CockroachDB from versions 2.1.10, 19.1.6, and 19.2.2 onward now limit access to privileged HTTP endpoints (privileged Admin UI pages and monitoring APIs) to authenticated admin users. However, the SQL root user specifically is currently not able to log in via HTTP.

Statement

The root user is currently unable to use privileged HTTP endpoints because root is prevented from having a password (this is a CockroachDB feature from version 1.0 to 19.2, only lifted in 20.1) and HTTP endpoints only support password authentication.

Without an enterprise license, the only SQL admin user is root. Therefore, core users are unable to use these privileged HTTP endpoints.

A product change is planned to enable passwordless users including root to access HTTP endpoints safely and without a license. This change will be distributed in CockroachDB 19.2.3. This solution will be usable with servers/clusters running versions 2.1, 19.1 and 19.2 without requiring a server upgrade. Starting in version 20.1, the root user will also be able to use a password and log in via HTTP interactively.

This issue is tracked internally as https://github.com/cockroachdb/cockroach/issues/43870

Mitigation

Affected sites can obtain a temporary evaluation license, create a user other than root, give it a password, grant it the admin role, then let the evaluation license expire. The admin user created in this manner will persist beyond the license expiry.

Impact

All core users of CockroachDB 2.1.10, 19.1.6, and 19.2.2 without an Enterprise license are affected.

Affected deployments are prevented from using privileged Admin UI pages and monitoring HTTP endpoints.

Advisory 44033 - blank Admin UI pages

Description

Following the fix for Advisory 42567, CockroachDB currently displays blank pages or error messages when non-admin users attempt to access certain (non-privileged) Admin UI pages.

Statement

The product changes related to advisory 42567 have introduced a regression in this product feature. The list of UI pages affected includes but is not limited to:

  • Job details
  • Database details
  • Table details
  • Zone configurations

Cockroach Labs is aware of this bug and will address it in a maintenance release, so that non-admin users are able to access these pages again.

This is tracked internally as https://github.com/cockroachdb/cockroach/issues/44033

Mitigation

The pages can be accessed using an admin user until a fix is released.

However, please also consult advisory 43870 and its mitigation section.

Impact

Deployments of CockroachDB versions 2.1.10, 19.1.6, and 19.2.2 are affected.

Users of affected sites have a reduced ability to inspect the state of their cluster and the data stored therein using non-admin user accounts.

Questions about any technical alert can be directed to our Support team