Publication date: January 18, 2023
CockroachDB Cloud users that have been granted the Developer role in a cloud organization could use a specific DB Console API for any cluster in the organization and perform SQL admin-like operations including reading from or writing to any table in the cluster. The mentioned API is not publicly documented and is exclusively used internally by a select set of pages in the CockroachDB Cloud Console that retrieve data by proxying to a cluster’s DB Console.
The problem poses a company insider risk within your CockroachDB Cloud organization and increases the probability of data exfiltration by users that have been assigned the Developer role and are not intended to have access to data outside of their scope. This applies to any cluster of CockroachDB within a cloud organization, regardless of version.
This does not affect you if your company self-hosts and deploys CockroachDB in their own infrastructure. This vulnerability requires CockroachDB Cloud organization membership and can not be exploited by users outside of a user's CockroachDB Cloud organization.
The problem has been mitigated by a fix that has been applied to the CockroachDB Cloud Console and deployed to all cloud organizations.
All users assigned the Developer role in a CockroachDB Cloud organization will now access relevant pages in the Cloud Console using a underlying per-cluster SQL user which has been assigned only the following SQL permissions according to the principle of least privilege:
- Cluster node metadata
See Role Options for more information on these roles.
The users assigned the org admin role in a CockroachDB Cloud organization will continue to access the relevant pages in Cloud Console using an underlying per-cluster SQL admin user, as it is intended to be an all-access, highly privileged role.
A fix has been automatically applied to all CockroachDB Cloud organizations. With this change, the risk related to this issue, of the possibility of accessing data from any cluster in a cloud organization by users that have been assigned the Developer role, has been removed. This change follows the least privilege principle by ensuring that users with the lower-privilege Developer role only have the underlying SQL permissions applicable to their role level.
It is recommended that admins in a CockroachDB Cloud organization follow the authorization best practice of the principle of least privilege - whereby a user is granted exactly the minimum set of permissions necessary to perform the task required - and grant the org admin role to only those users who are required to have access to all the data in a cluster. In all other cases, the Developer role should be assigned to reduce the insider risk of data exfiltration.
Admins should also ensure that when users access a cluster’s DB Console directly from the CockroachDB Cloud’s Tools page, they authenticate with specific SQL users that have been assigned only the required SQL privileges within the cluster. See Authorization (Self-Hosted) and Authorization in CockroachDB for more information.
We have had no reports of customers impacted by this vulnerability and have not found any evidence that this exploit was utilized before it was patched. We’ve analyzed the product usage metrics which indicate that the vulnerability wasn’t exploited in a cloud organization. We are not able to share pertinent logs for this scenario, but recommend that customers configure log export for CockroachDB Dedicated clusters and enable the SQL audit log for tables containing confidential data as a general best practice.
Cockroach Labs discovered the issue when developing a related capability for CockroachDB Cloud Console and doing thorough threat modeling and testing for it. This triggered our security incident response process and we addressed the issue immediately.
If any of your users with the Developer role in your cloud organization are not able to access a functionality that they were previously able to, we expect this is an intentional outcome of applying the principle of least privilege (refer the “Statement” section above). For Developer-level users unable to perform required functions, please grant them direct SQL access to the cluster via SQL or to the DB Console from the CockroachDB Cloud’s Tools page.
Please reach out to the support team if more information or assistance is needed.