diff --git a/src/current/advisories/a133479.md b/src/current/advisories/a133479.md index d11e29f1f5d..56ad5adb956 100644 --- a/src/current/advisories/a133479.md +++ b/src/current/advisories/a133479.md @@ -31,27 +31,41 @@ If these values were included in diagnostic reporting sent to Cockroach Labs, th ## Statement -The default cluster setting redaction behavior in diagnostics will be resolved in CockroachDB versions 23.1.29, 23.2.14, 24.1.7, and 24.2.5. +The default cluster setting redaction behavior in diagnostics will be resolved in CockroachDB versions 23.1.29, 23.2.14, 24.1.7, 24.2.5, and 24.3.0. ## Mitigation Users of CockroachDB versions 20.2, 21.1, 21.2, 22.1, 22.2, 23.1.0 - 23.1.28, and 23.2.0 are encouraged to: -- Set the value of the `diagnostics.reporting.enabled` cluster setting to `false` using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): - - `SET CLUSTER SETTING diagnostics.reporting.enabled = false;` -- Rotate any credentials if they have values set for the above cluster settings. +1. Set the value of the `diagnostics.reporting.enabled` cluster setting to `false` using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): + + {% include_cached copy-clipboard.html %} + ~~~ sql + SET CLUSTER SETTING diagnostics.reporting.enabled = false; + ~~~ + +1. Rotate any credentials if they have values set for the above cluster settings. Users of CockroachDB 23.2.1 - 23.2.13, 24.1.0 - 24.1.7, 24.2.0 - 24.2.4, and 24.3-alpha.1+ are encouraged to: -- Update either of the following cluster settings using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): - - Enable sensitive setting redaction - - `SET CLUSTER SETTING server.redact_sensitive_settings.enabled = true;` - - Disable diagnostic reporting - - `SET CLUSTER SETTING diagnostics.reporting.enabled = false;` -- Rotate any credentials if they have values set for the above cluster settings, such as the OIDC client secret. +1. Update either of the following cluster settings using [`SET CLUSTER SETTING`]({% link v24.2/set-cluster-setting.md %}): + - Enable sensitive setting redaction: + + {% include_cached copy-clipboard.html %} + ~~~ sql + SET CLUSTER SETTING server.redact_sensitive_settings.enabled = true; + ~~~ + - Disable diagnostic reporting: + + {% include_cached copy-clipboard.html %} + ~~~ sql + SET CLUSTER SETTING diagnostics.reporting.enabled = false; + ~~~ + +1. Rotate any credentials if they have values set for the above cluster settings, such as the OIDC client secret. Even without these mitigations, the information is no longer stored by Cockroach Labs and is automatically discarded by our systems, if received. All existing copies of this data have been deleted. These mitigations are not required if you have already upgraded to v23.1.29, v23.2.14, v24.1.7, v24.2.5, v24.3.0, or later patch versions in their major versions’ series. ## Impact -Customer credentials stored in sensitive cluster settings were potentially included in diagnostic payloads periodically sent by cluster nodes to Cockroach Labs for telemetry purposes. Unredacted values of sensitive cluster setting data were stored internally, within a limited access table. The payload information specifies the Cluster ID, but does not include information that directly identifies or maps the Cluster ID to the customer or host cluster. \ No newline at end of file +Customer credentials stored in sensitive cluster settings were potentially included in diagnostic payloads periodically sent by cluster nodes to Cockroach Labs for telemetry purposes. Unredacted values of sensitive cluster setting data were stored internally, within a limited access table. The payload information specifies the Cluster ID, but does not include information that directly identifies or maps the Cluster ID to the customer or host cluster.