Hello Kong users!
We recently merged a security fix to address one particular scenario on DB-less mode. We backported this fix to all affected Kong versions, so today we are releasing Kong 1.2.3, 1.3.1 and 1.4.3.
Detailed description of the issue
- This is not a remote exploit
- This affects one particular use of the Admin API
/config
endpoint would produce a debug dump of the entire declarative config into the error logs (including potentially credentials and other sensitive information).- This only happens when using the JSON content-type to send the declarative config as a raw body of the request (i.e. when doing
cat config.json | http :8001/config
, instead of wrapped as aconfig
parameter like this:http :8001/config config=@config.json
).
- This only happens when using the JSON content-type to send the declarative config as a raw body of the request (i.e. when doing
- The pattern above is used by the Kong Ingress Controller, so KIC users are urged to update.
What’s new in the releases
The two backport releases for the 1.2 and 1.3 series contain only the security fix:
- Do not make a debugging dump of the declarative config input into
error.log
when posting it with/config
and using_format_version
as a top-level parameter (instead of embedded in theconfig
parameter).
#5411
The new release in the 1.4 series contains the above fix, plus all the latest bugfixes merged into our master
branch. They are:
- Fix the detection of the need for balancer updates when deleting targets #5352 – Thanks zeeshen for the patch!
- Fix behavior of longest-path criteria when matching routes #5383
- Fix incorrect use of cache when using header-based routing #5267 – Thanks marlonfan for the patch!
- Fix incorrect behavior of PUT for /certificates #5321
- acl: fixed an issue where getting ACLs by group failed when multiple consumers share the same group #5322
Download
Download Kong and upgrade your cluster!
None of these releases contain migrations, new features nor breaking changes.
1.2.2 Changelog.
1.3.1 Changelog.
1.4.3 Changelog.
The Docker images should be live soon on Docker Hub.
Happy Konging!