Note:
Cockroach Labs supports the current stable release and two releases prior. Therefore, this version will no longer be supported after the Spring 2020 release.

December 16, 2019

Get future release notes emailed to you:

Downloads

Docker image

copy
icon/buttons/copy
$ docker pull cockroachdb/cockroach:v2.1.10

Security updates

  • CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like /_admin/v1/events, which operate using root user permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints and restricting access to admin users only.

    Note:

    Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token for an admin user.

  • Some Admin UI screens (e.g., Jobs) were previously incorrectly displayed using root user permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI screens.

  • Privileged HTTP endpoints and certain Admin UI screens require an admin user. However, root is disallowed from logging in via HTTP and it is not possible to create additional admin accounts without an Enterprise license. This is further discussed here and will be addressed in an upcoming patch revision.

    Note:

    Users without an Enterprise license can create an additional admin user using a temporary evaluation license, until an alternative is available. A user created this way will persist beyond the license expiry.

  • Some Admin UI screens currently display an error or a blank page when viewed by a non-admin user (e.g., Table Details). This is a known limitation mistakenly introduced by the changes described above. This situation is discussed further here and will be addressed in an upcoming patch revision. The list of UI pages affected includes but is not limited to:

    • Job details
    • Database details
    • Table details
    • Zone configurations
    Note:

    Users can access these Admin UI screens using an admin user until a fix is available.

The list of HTTP endpoints affected by the first change above includes:

HTTP Endpoint Description Sensitive information revealed Special (see below)
/_admin/v1/data_distribution Database-table-node mapping Database and table names
/_admin/v1/databases/{database}/tables/{table}/stats Table stats histograms Stored table data via PK values
/_admin/v1/drain API to shut down a node Can cause DoS on cluster
/_admin/v1/enqueue_range Force range rebalancing Can cause DoS on cluster
/_admin/v1/events Event log Usernames, stored object names, privilege mappings
/_admin/v1/nontablestats Non-table statistics Stored table data via PK values
/_admin/v1/rangelog Range log Stored table data via PK values
/_admin/v1/settings Cluster settings Organization name
/_status/allocator/node/{node_id} Rebalance simulator Can cause DoS on cluster yes
/_status/allocator/range/{range_id} Rebalance simulatoor Can cause DoS on cluster yes
/_status/certificates/{node_id} Node and user certificates Credentials
/_status/details/{node_id} Node details Internal IP addresses
/_status/enginestats/{node_id} Storage statistics Operational details
/_status/files/{node_id} Retrieve heap and goroutine dumps Operational details yes
/_status/gossip/{node_id} Gossip details Internal IP addresses yes
/_status/hotranges Ranges with active requests Stored table data via PK values
/_status/local_sessions SQL sessions Cleartext SQL queries yes
/_status/logfiles/{node_id} List of log files Operational details yes
/_status/logfiles/{node_id}/{file} Server logs + entries Many: names, application data, credentials, etc. yes
/_status/logs/{node_id} Log entries Many: names, application data, credentials, etc. yes
/_status/profile/{node_id} Profiling data Operational details
/_status/raft Raft details Stored table data via PK values
/_status/range/{range_id} Range details Stored table data via PK values
/_status/ranges/{node_id} Range details Stored table data via PK values
/_status/sessions SQL sessions Cleartext SQL queries yes
/_status/span Statistics per key span Whether certain table rows exist
/_status/stacks/{node_id} Stack traces Application data, stored table data
/_status/stores/{node_id} Store details Operational details
Note:

"Special" endpoints are subject to the cluster setting server.remote_debugging.mode. Unless the setting was customized, clients are only able to connect from the same machine as the node.

Admin UI changes

  • Certain web UI pages (like the list of databases or tables) now restrict their content to match the privileges of the logged-in user. #42910
  • The event log now presents all cluster settings changes, unredacted, when an admin user uses the page. #42910
  • Customization of the UI by users is now only properly saved if the user has write privilege to system.ui (i.e., is an admin user). Also, all authenticated users share the same customizations. This is a known limitation and should be lifted in a future version. #42910
  • Access to table statistics are temporarily blocked from access by non-admin users until further notice, for security reasons. #42910
  • Certain debug pages have been blocked from non-admin users for security reasons. #42910

Bug fixes

  • Fixed a rare data corruption bug in RocksDB caused by newer Linux kernel's handling of i_generation on certain file systems. #41394
  • Fixed a bug causing the cluster_logical_timestamp() function to sometimes return incorrect results. #41442
  • Fixed a bug causing rapid network disconnections to lead to cluster unavailability because goroutines waited for a connection which would never be initialized to send its first heartbeat. #42166
  • Fixed a case where we incorrectly determine that a query (or part of a query) which contains an IS NULL constraint on a unique index column returns at most one row, possibly ignoring a LIMIT 1 clause. #42793
  • ALTER INDEX IF EXISTS no longer fails when using an unqualified index name that does not match any existing index. Now it is a no-op. #42841
  • The CommandQueue no longer holds on to buffers if they become too large. This prevents unbounded growth of memory that may never be reclaimed. #42961
  • The CommandQueue now clears references to objects in its buffers to allow those objects to be reclaimed by the garbage collector. #42961
  • Fixed a bug causing disk stalls to allow a node to continue heartbeating its liveness record and prevent other nodes from taking over its leases, despite being completely unresponsive. #41734

Contributors

This release includes 8 merged PRs by 9 authors.



Yes No