Announcing security bugfix releases Kong 1.2.3, 1.3.1 and 1.4.3

1

Hello Kong users!

We recently merged a security fix to address one particular scenario on DB-less mode. We backported this fix to all affected Kong versions, so today we are releasing Kong 1.2.3, 1.3.1 and 1.4.3.

Detailed description of the issue

  • This is not a remote exploit
  • This affects one particular use of the Admin API /config endpoint would produce a debug dump of the entire declarative config into the error logs (including potentially credentials and other sensitive information).
    • This only happens when using the JSON content-type to send the declarative config as a raw body of the request (i.e. when doing cat config.json | http :8001/config, instead of wrapped as a config parameter like this: http :8001/config config=@config.json).
  • :warning: The pattern above is used by the Kong Ingress Controller, so KIC users are urged to update.

What’s new in the releases

The two backport releases for the 1.2 and 1.3 series contain only the security fix:

  • Do not make a debugging dump of the declarative config input into
    error.log when posting it with /config and using _format_version
    as a top-level parameter (instead of embedded in the config parameter).
    #5411

The new release in the 1.4 series contains the above fix, plus all the latest bugfixes merged into our master branch. They are:

  • Fix the detection of the need for balancer updates when deleting targets #5352 – Thanks zeeshen for the patch!
  • Fix behavior of longest-path criteria when matching routes #5383
  • Fix incorrect use of cache when using header-based routing #5267 – Thanks marlonfan for the patch!
  • Fix incorrect behavior of PUT for /certificates #5321
  • acl: fixed an issue where getting ACLs by group failed when multiple consumers share the same group #5322

Download

:package: Download Kong and upgrade your cluster!

None of these releases contain migrations, new features nor breaking changes.

:spiral_notepad: 1.2.2 Changelog.
:spiral_notepad: 1.3.1 Changelog.
:spiral_notepad: 1.4.3 Changelog.

:whale: The Docker images should be live soon on Docker Hub.

Happy Konging! :gorilla: