December 16, 2019
Get future release notes emailed to you:
Downloads
Docker image
$ docker pull cockroachdb/cockroach:v2.1.10
Security updates
CockroachDB previously allowed non-authenticated access to privileged HTTP endpoints like
/_admin/v1/events, which operate usingrootuser permissions and can thus access (and sometimes modify) any and all data in the cluster. This security vulnerability has been patched by disallowing non-authenticated access to these endpoints and restricting access to admin users only.Note:Users who have built monitoring automation using these HTTP endpoints must modify their automation to work using an HTTP session token for an admin user.
Some Admin UI screens (e.g., Jobs) were previously incorrectly displayed using
rootuser permissions, regardless of the logged-in user's credentials. This enabled insufficiently privileged users to access privileged information. This security vulnerability has been patched by using the credentials of the logged-in user to display all Admin UI screens.Privileged HTTP endpoints and certain Admin UI screens require an admin user. However,
rootis disallowed from logging in via HTTP and it is not possible to create additional admin accounts without an Enterprise license. This is further discussed here and will be addressed in an upcoming patch revision.Note:Users without an Enterprise license can create an additional admin user using a temporary evaluation license, until an alternative is available. A user created this way will persist beyond the license expiry.
Some Admin UI screens currently display an error or a blank page when viewed by a non-admin user (e.g., Table Details). This is a known limitation mistakenly introduced by the changes described above. This situation is discussed further here and will be addressed in an upcoming patch revision. The list of UI pages affected includes but is not limited to:
- Job details
- Database details
- Table details
- Zone configurations
Note:Users can access these Admin UI screens using an admin user until a fix is available.
The list of HTTP endpoints affected by the first change above includes:
| HTTP Endpoint | Description | Sensitive information revealed | Special (see below) |
|---|---|---|---|
/_admin/v1/data_distribution |
Database-table-node mapping | Database and table names | |
/_admin/v1/databases/{database}/tables/{table}/stats |
Table stats histograms | Stored table data via PK values | |
/_admin/v1/drain |
API to shut down a node | Can cause DoS on cluster | |
/_admin/v1/enqueue_range |
Force range rebalancing | Can cause DoS on cluster | |
/_admin/v1/events |
Event log | Usernames, stored object names, privilege mappings | |
/_admin/v1/nontablestats |
Non-table statistics | Stored table data via PK values | |
/_admin/v1/rangelog |
Range log | Stored table data via PK values | |
/_admin/v1/settings |
Cluster settings | Organization name | |
/_status/allocator/node/{node_id} |
Rebalance simulator | Can cause DoS on cluster | yes |
/_status/allocator/range/{range_id} |
Rebalance simulatoor | Can cause DoS on cluster | yes |
/_status/certificates/{node_id} |
Node and user certificates | Credentials | |
/_status/details/{node_id} |
Node details | Internal IP addresses | |
/_status/enginestats/{node_id} |
Storage statistics | Operational details | |
/_status/files/{node_id} |
Retrieve heap and goroutine dumps | Operational details | yes |
/_status/gossip/{node_id} |
Gossip details | Internal IP addresses | yes |
/_status/hotranges |
Ranges with active requests | Stored table data via PK values | |
/_status/local_sessions |
SQL sessions | Cleartext SQL queries | yes |
/_status/logfiles/{node_id} |
List of log files | Operational details | yes |
/_status/logfiles/{node_id}/{file} |
Server logs + entries | Many: names, application data, credentials, etc. | yes |
/_status/logs/{node_id} |
Log entries | Many: names, application data, credentials, etc. | yes |
/_status/profile/{node_id} |
Profiling data | Operational details | |
/_status/raft |
Raft details | Stored table data via PK values | |
/_status/range/{range_id} |
Range details | Stored table data via PK values | |
/_status/ranges/{node_id} |
Range details | Stored table data via PK values | |
/_status/sessions |
SQL sessions | Cleartext SQL queries | yes |
/_status/span |
Statistics per key span | Whether certain table rows exist | |
/_status/stacks/{node_id} |
Stack traces | Application data, stored table data | |
/_status/stores/{node_id} |
Store details | Operational details |
"Special" endpoints are subject to the cluster setting server.remote_debugging.mode. Unless the setting was customized, clients are only able to connect from the same machine as the node.
Admin UI changes
- Certain web UI pages (like the list of databases or tables) now restrict their content to match the privileges of the logged-in user. #42910
- The event log now presents all cluster settings changes, unredacted, when an admin user uses the page. #42910
- Customization of the UI by users is now only properly saved if the user has write privilege to
system.ui(i.e., is an admin user). Also, all authenticated users share the same customizations. This is a known limitation and should be lifted in a future version. #42910 - Access to table statistics are temporarily blocked from access by non-admin users until further notice, for security reasons. #42910
- Certain debug pages have been blocked from non-admin users for security reasons. #42910
Bug fixes
- Fixed a rare data corruption bug in RocksDB caused by newer Linux kernel's handling of i_generation on certain file systems. #41394
- Fixed a bug causing the
cluster_logical_timestamp()function to sometimes return incorrect results. #41442 - Fixed a bug causing rapid network disconnections to lead to cluster unavailability because goroutines waited for a connection which would never be initialized to send its first heartbeat. #42166
- Fixed a case where we incorrectly determine that a query (or part of a query) which contains an
IS NULLconstraint on a unique index column returns at most one row, possibly ignoring aLIMIT 1clause. #42793 ALTER INDEX IF EXISTSno longer fails when using an unqualified index name that does not match any existing index. Now it is a no-op. #42841- The
CommandQueueno longer holds on to buffers if they become too large. This prevents unbounded growth of memory that may never be reclaimed. #42961 - The
CommandQueuenow clears references to objects in its buffers to allow those objects to be reclaimed by the garbage collector. #42961 - Fixed a bug causing disk stalls to allow a node to continue heartbeating its liveness record and prevent other nodes from taking over its leases, despite being completely unresponsive. #41734
Contributors
This release includes 8 merged PRs by 9 authors.
Was this helpful?
