-
Notifications
You must be signed in to change notification settings - Fork 458
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add technical advisory 133479 (#19055)
- Loading branch information
Showing
1 changed file
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| --- | ||
| title: Technical Advisory 133479 | ||
| advisory: A-133479 | ||
| summary: Diagnostics reporting, if enabled for a cluster, may have sent OIDC credentials stored in cluster settings to a secure, limited access Cockroach Labs telemetry database. The payload would have contained a unique cluster ID, and no publicly identifiable customer information. | ||
| toc: true | ||
| affected_versions: v20.2, v21.1, v21.2, v22.1, v22.2, v23.1.0 to v23.1.28, v23.2.0 to 23.2.13, v24.1.0 to v24.1.6, v24.2.0 to v24.2.4, v24.3.0-alpha.1+ | ||
| advisory_date: 2024-10-25 | ||
| docs_area: releases | ||
| --- | ||
|
|
||
| Publication date: {{ page.advisory_date | date: "%B %e, %Y" }} | ||
|
|
||
| ## Description | ||
|
|
||
| CockroachDB diagnostics reporting, if enabled for a cluster in CockroachDB Cloud or in a Self-Hosted deployment, could have been sending the values of the cluster settings specified below through the telemetry payload sent to Cockroach Labs or stored by you locally. This behavior was due to a bug that incorrectly used user-configurable cluster setting redaction code paths when reporting diagnostics. This data is no longer stored by Cockroach Labs and is no longer sent in upcoming patch releases. | ||
|
|
||
| The data would be sent only if the [cluster setting]({% link v24.2/cluster-settings.md %}) `diagnostics.reporting.enabled` was set to `true` and `server.redact_sensitive_settings.enabled` was set to `false`. These are the default values for those cluster settings. | ||
|
|
||
| The affected cluster setting in versions 20.2, 21.1, 21.2, 22.1, 22.2, 23.1, and 23.2.0 is: | ||
|
|
||
| - `server.oidc_authentication.client_id` | ||
|
|
||
| The affected cluster settings in versions 23.2.1+, 24.1, 24.2, and 24.3 are: | ||
|
|
||
| - `server.oidc_authentication.client_id` | ||
| - `server.oidc_authentication.client_secret` | ||
|
|
||
| To prevent the values of these cluster settings from being sent, we recommend either upgrading to specific patch versions as they become available (as detailed in the [Statement](#statement) section) or following the [Mitigation](#mitigation) steps outlined below. However, even if you do not correct this issue and continue to send this data to Cockroach Labs, it will be automatically discarded by our systems, if received. | ||
|
|
||
| If these values were included in diagnostic reporting sent to Cockroach Labs, they were stored in a secure, non-public, restricted Cockroach Labs telemetry database, and have now been deleted. If you need help determining if this information was sent to Cockroach Labs by your CockroachDB clusters, email <a href="mailto:[email protected]?subject=TA 133479 Cluster Review">[email protected]</a> with the subject "TA 133479 - Cluster Review" and a list of the Cluster IDs in question, and we will respond after evaluating what data we may have received. | ||
|
|
||
| ## Statement | ||
|
|
||
| The default cluster setting redaction behavior in diagnostics will be resolved in CockroachDB versions 23.1.29, 23.2.14, 24.1.7, and 24.2.5. | ||
|
|
||
| ## Mitigation | ||
|
|
||
| Users of CockroachDB versions 20.2, 21.1, 21.2, 22.1, 22.2, 23.1.0 - 23.1.28, and 23.2.0 are encouraged to: | ||
|
|
||
| - Set the value of the `diagnostics.reporting.enabled` cluster setting to `false` using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): | ||
| - `SET CLUSTER SETTING diagnostics.reporting.enabled = false;` | ||
| - Rotate any credentials if they have values set for the above cluster settings. | ||
|
|
||
| Users of CockroachDB 23.2.1 - 23.2.13, 24.1.0 - 24.1.7, 24.2.0 - 24.2.4, and 24.3-alpha.1+ are encouraged to: | ||
|
|
||
| - Update either of the following cluster settings using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): | ||
| - Enable sensitive setting redaction | ||
| - `SET CLUSTER SETTING server.redact_sensitive_settings.enabled = true;` | ||
| - Disable diagnostic reporting | ||
| - `SET CLUSTER SETTING diagnostics.reporting.enabled = false;` | ||
| - Rotate any credentials if they have values set for the above cluster settings, such as the OIDC client secret. | ||
|
|
||
| Even without these mitigations, the information is no longer stored by Cockroach Labs and is automatically discarded by our systems, if received. All existing copies of this data have been deleted. These mitigations are not required if you have already upgraded to v23.1.29, v23.2.14, v24.1.7, v24.2.5, v24.3.0, or later patch versions in their major versions’ series. | ||
|
|
||
| ## Impact | ||
|
|
||
| Customer credentials stored in sensitive cluster settings were potentially included in diagnostic payloads periodically sent by cluster nodes to Cockroach Labs for telemetry purposes. Unredacted values of sensitive cluster setting data were stored internally, within a limited access table. The payload information specifies the Cluster ID, but does not include information that directly identifies or maps the Cluster ID to the customer or host cluster. |