Publication date: January 22, 2020
Prior to versions v2.1.10 / v19.1.6 / v19.2.2, CockroachDB was allowing non-authenticated access to privileged HTTP endpoints like
/_admin/v1/events that internally operate with the privileges of the CockroachDB user root.
Additionally, it was internally using root privileges to render certain Admin UI pages for logged-in but non-admin users.
This was a security vulnerability, because these endpoints and Admin UI pages operate using the permissions of the root CockroachDB user and could thus access (and sometimes modify) arbitrary stored data in the cluster and files in the data directories.
This issue was fixed in patch revisions v2.1.10, v19.1.6, and v19.2.2 by requiring a valid authentication by an admin user and rendering Admin UI pages using the credentials of the logged-in user. All users of v2.1 or later are invited to upgrade their deployments immediately.
The issue also exists in versions v2.0.x and prior. However, up to and including version v2.0.x, the HTTP endpoint was not advertised safe for use on non-privileged networks. Additionally, versions v2.0 and prior have reached end-of-life. All users are invited to upgrade to v2.1.10 or, preferably, a later version.
This issue is tracked internally as #42567.
Affected sites can mitigate the vulnerability by firewalling access to the HTTP endpoint.
All deployments up to and including revisions v2.1.9, v19.1.5, and 19.2.1, and where the CockroachDB HTTP port is exposed on unprivileged networks, are affected.
Vulnerable deployments risk exposing privileged data to non-privileged users. A full list of the affected HTTP endpoints and which type of data is exposed is provided here.
Questions about any technical alert can be directed to our support team.