Publication date: February 2, 2021
A bug in the protobuf binary decode functions makes it possible to crash a CockroachDB node by sending a specially crafted HTTP request. This bug can be triggered even without an authenticated session to the DB console.
This is resolved in CockroachDB by PR #58716 which fixes the decoding routine of protobuf payloads.
The fix has been applied to maintenance releases of CockroachDB v19.2, v20.1, and v21.1.
This public issue is tracked as #58932.
Users of CockroachDB v19.2, v20.1, or v20.2 are invited to upgrade to v19.2.12, v20.1.11, v20.2.4, or a later version. When upgrading is not an option, users should audit their network configuration to verify that the CockroachDB HTTP port is not available to untrusted clients. We recommend blocking the HTTP port behind a firewall.
This bug constitutes a security vulnerability, as an attacker can use it to cause full-cluster unavailability. This vulnerability in protobuf is known as CVE-2021-3121. All versions of CockroachDB up to and including v19.2.11, v20.1.10, and v20.2.3 are affected.
Questions about any technical alert can be directed to our Support team.
We thank Kirk Baird for reporting this issue to Cockroach Labs.