Publication date: February 12, 2020.

Description

The privileged HTTP endpoint /_status/statements, also used by the Admin UI "Statements" page, is incorrectly available to non-admin users.

Statement

This HTTP endpoint and Admin UI page currently reveal sensitive information, as they display the SQL text of queries run by all users across the cluster.

Starting in CockroachDB v19.2.4, v19.1.8 and v2.1.12, admin privileges will be required to access this endpoint and UI page. All users are invited to upgrade. CockroachDB v19.2.3 v19.1.7 and v2.1.11 are still affected.

A new feature to enable access to their own statement details by non-admin users is being considered for inclusion in CockroachDB v20.1 or later.

This public issue is tracked as #44348.

Mitigation

Affected sites can mitigate the issue in either of the following ways:

  • By blocking direct access to the HTTP port and using a HTTP proxy instead, and block access to the URL /_status/statements in the HTTP proxy.
  • By preventing non-admin users from using the HTTP endpoint entirely, which can be achieved by erasing their password field (e.g. via ALTER USER … WITH PASSWORD NULL).
  • By blocking access to the HTTP port on non-privileged networks using firewalling.

Impact

All deployments up to v2.1.11, v19.1.7 and v19.2.3 are affected.

A non-privileged user can use this data to discover the activity of other users, as well as the existence of database and tables over which they do not have SQL privileges. The content of tables, as well as the particular values used by SQL queries, are not accessible via these endpoints.

Questions about any technical alert can be directed to our support team.



Yes No