Headline
CVE-2023-25570: Release Apollo 2.1.0 Release · apolloconfig/apollo
Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.
Highlights****Admin Tools Enhancement
User management enhancement
The user management page now has a list view of all users and administrators can easily find a specific user to edit.
System configuration enhancement
The system configuration page now has a list view of all configuration items of PortalDB as well as ConfigDB. Administrators can easily find a specific configuration item to edit.
Open platform authorization management enhancement
The open platform authorization management page now has a list view of third-party apps and administrators can easily find a specific app to grant permission.
Basic Types for Item
Users can now config the types of the item and apollo would do a basic type check based on the type.
The types available now are String(default), Number, Boolean, and JSON.
Non-properties Namespaces Comparison Feature
The comparison feature for non-properties namespaces is now available.
Support Database as the Service Registry for apollo-configservice and apollo-adminservice
Apollo now supports the use of database as the service registry, without relying on a third-party service registry such as eureka.
See database-discovery for more information.
What’s Changed****Features
- Optimize Spring-Security Firewall Deny Request Response 400 by @klboke in #4428
- Allow users to associate multiple public namespaces at a time by @falser101 in #4437
- Optimize the UI experience of open platform authorization management by @klboke in #4436
- Add search key when comparing Configuration items by @falser101 in #4459
- Add a new API to load items with pagination by @mghio in #4468
- A user-friendly user management page for apollo portal by @zcy1010 in #4464
- Switching spring-session serialization mode to json for compatibility with spring-security version updates by @klboke in #4484
- Sort Namespaces acquired by multiple threads by @klboke in #4500
- Allow users to delete AppNamespace by @klboke in #4499
- Add configuration processor for portal developers by @vdisk-group in #4521
- Add a potential json value check feature by @AbnerHuang2 in #4519
- Support non-properties-diff by @SunnyBoy-WYH in #4533
- Add an option to custom oidc userDisplayName by @vdisk-group in #4507
- Add basic type check for Item value by @furaul in #4542
- A user-friendly config management page for apollo portal by @webSue in #4592
- Support use database as a registry by @Anilople in #4595
- Users can change spring.profiles.active’s value without rebuild project by @Anilople in #4616
- Enable login authentication for eureka by @nobodyiam in #4663
- Portal-UI adds server config configuration management of ApolloConfigDB by @klboke in #4680
Bug fixes
- Fix: occur a 400 error request when openapi key’s parameter contain "a[0]" by @CalebZYC in #4424
- Upgrade mysql-connector-java version to fix possible transaction rollback failure issue by @klboke in #4425
- Fix ‘openjdk:8-jre-alpine’ potentially causing wrong number of cpu cores by @klboke in #4475
- Fix overwrite JSON type configuration being empty by @falser101 in #4486
- Fix deleted at timestamp by @nobodyiam in #4493
- Fix openapi item with url illegalKey 400 error by @AbnerHuang2 in #4549
- Fix @Transactional invalid cases by @ksice in #4551
- Fix the exception occurred when publish/rollback namespaces with grayrelease by @nobodyiam in #4564
- Fix a json serialization problem during LDAP integration by @klboke in #4556
- Fix Apollo checks the yaml format interface Response Code = 500 by @klboke in #4567
- Fix create namespace with single dot 500 error by @AbnerHuang2 in #4568
- Fix(sec): upgrade fastjson to 1.2.83 by @ren-jq101 in #4587
- Fix get the openapi interface that contains namespace information for deleted items by @CalebZYC in #4596
- Disable spring cloud discovery when running test to speed up test process and reduce error log by @wutingjia in #4604
- Fix Grayscale release Item Value length limit can not be synchronized with its main version by @David-zhang-beep in #4622
- Fix the problem of deleting blank items appear at the end by @wanggang19 in #4662
Misc
- Remove database migration tool Flyway by @nisiyong in #4361
- Refactor: replace expired method by @zhangyangx in #4429
- Some Redundancy Code Cleanup by @HeavenTonight in #4433
- Refactor: Simplify the code by @zhangyangx in #4435
- Chore: fix stargazer chart with star-history.com by @tianzhou in #4441
- Clean up Ctrip related codes by @klboke in #4448
- Clean up deserted travis ci config by @HeavenTonight in #4450
- Move apollo-demo, scripts/docker-quick-start and scripts/apollo-on-kubernetes out of main repository by @nobodyiam in #4440
- Optimize apolloconfigdb-v190-v200-after.sql by @klboke in #4470
- Optimize performance of ‘/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces’ interface queries by @klboke in #4473
- Fix test case NamespaceServiceTest.testFindNamespace() by @klboke in #4491
- Refactor(apollo-biz): simplify the code of ReleaseService by @mghio in #4502
- Replace the deprecated SHA-1 algorithm for generating open-api token by @mghio in #4504
- Refactor ItemSetService(updateSet Item) and ConfigChangeContentBuilder a little bit by @mghio in #4515
- Refactor tryToGetClientIp method by @klboke in #4514
- Fix transcation invalid by @ksice in #4509
- Refactor: Simplify code by @mghio in #4524
- Update apollo-introduction.md by @ddzyan in #4534
- Add index for table ReleaseHistory by @mghio in #4550
- Refactoring the message splicing of internal Exceptions by @klboke in #4571
- Fix: add missing @OverRide annotation for ApolloEurekaClientConfig#getEurekaServerServiceUrls by @CalebZYC in #4575
- Add overloaded shortcut method to register BeanDefinition by @liaozan in #4574
- Docs: misspelled recommend by @llnancy in #4582
- Docs: add a version notice in the Open API documentation by @mghio in #4585
- Docs: add nodejs client sdk by @ChoGathK in #4590
- Move apollo-core, apollo-client, apollo-mockserver, apollo-openapi and apollo-client-config-data to apollo-java repo by @nobodyiam in #4594
- Fix doc bug by @lepdou in #4579
- Fixes testUpdateBranchGrayRulesWithUpdateOnce by @ZhewenFu in #4599
- Fix flaky test in apollo-biz by @anantdahiya8 in #4618
- Docs: fix markdown code blocks by change 4 back quote to 3 back quote by @hxpdong in #4631
- Refactor: remove app.properties and move some config file’s location by @Anilople in #4637
- Docs: upgrade rainbond deploy docs version to 2.0.1 by @week2311 in #4652
- Add an apollo-go client by @xnzone in #4665
- Config cookie same site to lax by @nobodyiam in #4664
- Update docker quick start document by @schneiderlin in #4675
- Add portal https guide by @nobodyiam in #4676
- Unify the experience of using the portal UI by @klboke in #4681
- Simplify url assembly in test cases by @klboke in #4682
- Add github action to publish docker image by @nobodyiam in #4685
- Delete unused code by @klboke in #4701
- Docs: add apollo rust client by @liushv0 in #4704
Breaking Changes
As was discussed in #4353, apollo drops the support for the flyway database migration tool.
Installation
Please refer to the Distributed Deployment Guide.
How to upgrade from v2.0.1 to v2.1.0
- Apply apolloconfigdb-v200-v210.sql to ApolloConfigDB
- Deploy v2.1.0 executables with the following sequences:
- apollo-configservice
- apollo-adminservice
- apollo-portal
- Execute the following SQL to clear the spring sessions as spring security sessions are not compatible between versions, see spring-projects/spring-security#9204
use ApolloPortalDB; delete from `SPRING_SESSION_ATTRIBUTES`; delete from `SPRING_SESSION`;
New Contributors
- @shenhuaxin made their first contribution in #4409
- @lorgine-li made their first contribution in #4414
- @Anthony-Lu made their first contribution in #4419
- @zhangyangx made their first contribution in #4429
- @HeavenTonight made their first contribution in #4433
- @tianzhou made their first contribution in #4441
- @falser101 made their first contribution in #4437
- @ksice made their first contribution in #4509
- @ddzyan made their first contribution in #4534
- @AbnerHuang2 made their first contribution in #4519
- @SunnyBoy-WYH made their first contribution in #4533
- @furaul made their first contribution in #4542
- @liaozan made their first contribution in #4574
- @llnancy made their first contribution in #4582
- @ren-jq101 made their first contribution in #4587
- @ChoGathK made their first contribution in #4590
- @wutingjia made their first contribution in #4604
- @webSue made their first contribution in #4592
- @ZhewenFu made their first contribution in #4599
- @anantdahiya8 made their first contribution in #4618
- @David-zhang-beep made their first contribution in #4622
- @hxpdong made their first contribution in #4631
- @week2311 made their first contribution in #4652
- @xnzone made their first contribution in #4665
- @wanggang19 made their first contribution in #4662
- @schneiderlin made their first contribution in #4675
- @liushv0 made their first contribution in #4704
Related news
### Impact If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice . ### Patches Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in [v2.1.0](https://github.com/apolloconfig/apollo/releases/tag/v2.1.0). ### Workarounds To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet. ### References [Apollo Security Guidence](https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related) ### For more information If you have any questions or comments about this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [[email protected]](mailto:apo...