Technical advisories report major issues with CockroachDB that may impact security or stability in production environments.
Users are invited to evaluate advisories and consider the recommended mitigation actions independently from their version upgrade schedule.
| Advisory | Summary | Affected versions | Date |
|---|---|---|---|
| A-84144 | Multi-region tables whose locality has been altered to REGIONAL BY ROW are at risk of being corrupted |
v22.1.0 to v22.1.3 | July 19, 2022 |
| A-82576 | Adding a column to a table which references a sequence, or creating a table with columns referencing sequences, adds an incomplete back-reference to the sequence metadata. | v22.1.0 to v22.1.2 | July 18, 2022 |
| A-82079 | If a CREATE MATERIALIZED VIEW statement fails, all objects referenced in its SELECT query will be unusable. |
v21.2.0 to v21.2.12, v22.1.0 | July 18, 2022 |
| A-81448 | Secondary indexes containing columns that are not null, have a volatile default expression, and are present in one or more secondary indexes will have inconsistent values relative to the primary index, which can lead to incorrect query results. | v21.1.x, v21.2.0 to v21.2.12, v22.1.0 | June 28, 2022 |
| A-81968 | Left outer joins and correlated subqueries can produce incorrect results. | v22.1.0 | June 6, 2022 |
| A-82309 | During or after an upgrade from CockroachDB v21.2.x to v22.1.0, existing changefeeds will stop emitting data. | v22.1.0-alpha.1 to v22.1.0 | June 3, 2022 |
| A-81315 | Prepared SELECT queries that filter a column with a constant casted to the wrong type fail to return the expected results |
v21.2.0 to v21.2.10, v22.1.0-alpha.1 to v22.1.0 | May 23, 2022 |
| A-79066 | Data key rotation is inadvertently disabled if the store key hasn't changed since the last node start | All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0 to v21.1.18, and v21.2.0 to v21.2.9. | May 2, 2022 |
| A-79384 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.17, v21.2.0 to v21.2.8, v22.1.0-alpha.1 to v22.1.0-beta.1 | April 14, 2022 |
| A-79281 | Importing duplicate keys can cause violations of UNIQUE constraints | v21.2.0 to v21.2.7, 22.1.0-alpha.1-22.1.0-alpha.5, v22.1.0-beta.1. | April 12, 2022 |
| A-78681 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.16, v21.2.0 to v21.1.7, 22.1.0-alpha.1-22.1.0-alpha.5 | April 11, 2022 |
| A-76522 | The optimizer can omit ON conditions of joins in query plans, causing incorrect results. | v20.2.0 to v20.2.19, v21.1.0 to v21.1.15, v21.2.0 to v21.2.6 | March 9, 2022 |
| A-75758 | Users without the appropriate permissions may cancel any other users' sessions from the DB Console | v20.2.0 to v20.2.18, v21.1.0 to v21.1.13, v21.2.0 to v21.2.4 | February 10, 2022 |
| A-74736 | Queries can miss rows in a primary or unique index that is being scanned, causing incorrect query results. | v21.2.0 to v21.2.4 | February 7, 2022 |
| A-74385 | Partial indexes can be corrupted by UPDATE statements, resulting in incorrect query results for any queries that use the partial index |
v21.1 and v21.2 prior to v21.1.13 and v21.2.4 | January 6, 2022 |
| CVE-2021-44228 | No Cockroach Labs products or services are affected by the recent CVE-2021-44228 Apache Log4j vulnerability. | None | December 14, 2021 |
| A-73629 | Planning queries over partitioned tables with a DEFAULT partition in a PARTITION BY LIST clause could cause a spurious internal error |
v21.1 and v21.2 prior to v21.1.13 and v21.2.3 | December 14, 2021 |
| A-73024 | The optimizer could plan queries that use semi-joins against multi-region REGIONAL BY ROW tables incorrectly |
v21.2.0 | November 29, 2021 |
| A-72839 | Backups fail during upgrade process | v21.2.0 | November 18, 2021 |
| A-71553 | SQL statements that used secondary unique indexes that were created as a result of an ALTER PRIMARY KEY statement can return incorrect results. |
v20.2, v21.1 | November 8, 2021 |
| A-71655 | Zigzag joins could potentially produce incorrect results | v19.2, v20.1, v20.2, v21.1 | November 2, 2021 |
| A-71002 | CockroachDB v21.1.9 drops WHERE predicates from prepared statements in specific circumstances |
v21.1.9 | October 7, 2021 |
| A-69874 | CockroachDB v21.1.8 can not be downgraded | v21.1.8 | September 7, 2021 |
| A-68005 | sql.trace.txn.enable_threshold cluster setting causes crash loops |
v21.1.0 to v21.1.6 | August 20, 2021 |
| A-62842 | TRUNCATE TABLE during CREATE/ALTER INDEX can cause data corruption |
v20.2.0 to v20.2.8 | July 29, 2021 |
| A-64325 | Race condition between reads and replica removal | v20.1 and later | May 3, 2021 |
| A-63162 | Invalid incremental backups under certain circumstances | v19.1.0 to v19.1.11, v19.2.0 to v19.2.12, v20.1.0 to v20.1.14, v20.2.0 to v20.2.7 | April 30, 2021 |
| A-58932 | HTTP requests can cause full-cluster denial of service (DoS) | v19.2.0 to v19.2.11, v20.1.0 to v20.1.10, v20.2.0 to v20.2.3 | February 2, 2021 |
| A-56116 | Incorrect timezone calculations with "slim" zoneinfo format | All | October 29, 2020 |
| A-54418 | Incorrect behavior with large batch UPSERTs |
v20.1.4, v20.1.5 | September 24, 2020 |
| A-50587 | TRUNCATE prevents table renaming |
v19.1.0 to v19.1.10, v19.2.0 to v19.2.8 | July 6, 2020 |
| A-48860 | Data corruption/loss issue with snapshots and delete range | v2.1.0 to v2.1.9, v19.1.0 to v19.1.8, v19.2.0 to v19.2.6 | May 20, 2020 |
| A-44348 | Data leak in statement details | v2.1.0 to v2.1.11, v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44299 | Schema changes may cause cluster unavailability | v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44166 | SHOW JOBS and Jobs page can endanger cluster stability |
v19.2.0 to v19.2.2 | February 12, 2020 |
| A-43870 | HTTP authentication for non-Enterprise users | v2.1.10-onward, v19.1.6-onward, v19.2.2 | January 22, 2020 |
| A-42567 | HTTP endpoint vulnerability | v2.1.0 to v2.1.8, v19.1.0 to v19.1.5, v19.2.0 to v19.2.1 | January 22, 2020 |
| A-30821 | Authentication bypass for internal RPCs | v1.1.0 to v1.1.8, v2.0.0 to v2.0.4 | October 1, 2018 |
Was this helpful?
