Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25570: Release Apollo 2.1.0 Release · apolloconfig/apollo

Apollo is a configuration management system. Prior to version 2.1.0, there are potential security issues if users expose apollo-configservice to the internet, which is not recommended. This is because there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice. Login authentication for eureka was added in version 2.1.0. As a workaround, avoid exposing apollo-configservice to the internet.

CVE
#sql#web#nodejs#js#git#java#kubernetes#ldap#auth#docker

Highlights****Admin Tools Enhancement

User management enhancement
The user management page now has a list view of all users and administrators can easily find a specific user to edit.

System configuration enhancement
The system configuration page now has a list view of all configuration items of PortalDB as well as ConfigDB. Administrators can easily find a specific configuration item to edit.

Open platform authorization management enhancement
The open platform authorization management page now has a list view of third-party apps and administrators can easily find a specific app to grant permission.

Basic Types for Item

Users can now config the types of the item and apollo would do a basic type check based on the type.
The types available now are String(default), Number, Boolean, and JSON.

Non-properties Namespaces Comparison Feature

The comparison feature for non-properties namespaces is now available.

Support Database as the Service Registry for apollo-configservice and apollo-adminservice

Apollo now supports the use of database as the service registry, without relying on a third-party service registry such as eureka.
See database-discovery for more information.

What’s Changed****Features

  • Optimize Spring-Security Firewall Deny Request Response 400 by @klboke in #4428
  • Allow users to associate multiple public namespaces at a time by @falser101 in #4437
  • Optimize the UI experience of open platform authorization management by @klboke in #4436
  • Add search key when comparing Configuration items by @falser101 in #4459
  • Add a new API to load items with pagination by @mghio in #4468
  • A user-friendly user management page for apollo portal by @zcy1010 in #4464
  • Switching spring-session serialization mode to json for compatibility with spring-security version updates by @klboke in #4484
  • Sort Namespaces acquired by multiple threads by @klboke in #4500
  • Allow users to delete AppNamespace by @klboke in #4499
  • Add configuration processor for portal developers by @vdisk-group in #4521
  • Add a potential json value check feature by @AbnerHuang2 in #4519
  • Support non-properties-diff by @SunnyBoy-WYH in #4533
  • Add an option to custom oidc userDisplayName by @vdisk-group in #4507
  • Add basic type check for Item value by @furaul in #4542
  • A user-friendly config management page for apollo portal by @webSue in #4592
  • Support use database as a registry by @Anilople in #4595
  • Users can change spring.profiles.active’s value without rebuild project by @Anilople in #4616
  • Enable login authentication for eureka by @nobodyiam in #4663
  • Portal-UI adds server config configuration management of ApolloConfigDB by @klboke in #4680

Bug fixes

  • Fix: occur a 400 error request when openapi key’s parameter contain "a[0]" by @CalebZYC in #4424
  • Upgrade mysql-connector-java version to fix possible transaction rollback failure issue by @klboke in #4425
  • Fix ‘openjdk:8-jre-alpine’ potentially causing wrong number of cpu cores by @klboke in #4475
  • Fix overwrite JSON type configuration being empty by @falser101 in #4486
  • Fix deleted at timestamp by @nobodyiam in #4493
  • Fix openapi item with url illegalKey 400 error by @AbnerHuang2 in #4549
  • Fix @Transactional invalid cases by @ksice in #4551
  • Fix the exception occurred when publish/rollback namespaces with grayrelease by @nobodyiam in #4564
  • Fix a json serialization problem during LDAP integration by @klboke in #4556
  • Fix Apollo checks the yaml format interface Response Code = 500 by @klboke in #4567
  • Fix create namespace with single dot 500 error by @AbnerHuang2 in #4568
  • Fix(sec): upgrade fastjson to 1.2.83 by @ren-jq101 in #4587
  • Fix get the openapi interface that contains namespace information for deleted items by @CalebZYC in #4596
  • Disable spring cloud discovery when running test to speed up test process and reduce error log by @wutingjia in #4604
  • Fix Grayscale release Item Value length limit can not be synchronized with its main version by @David-zhang-beep in #4622
  • Fix the problem of deleting blank items appear at the end by @wanggang19 in #4662

Misc

  • Remove database migration tool Flyway by @nisiyong in #4361
  • Refactor: replace expired method by @zhangyangx in #4429
  • Some Redundancy Code Cleanup by @HeavenTonight in #4433
  • Refactor: Simplify the code by @zhangyangx in #4435
  • Chore: fix stargazer chart with star-history.com by @tianzhou in #4441
  • Clean up Ctrip related codes by @klboke in #4448
  • Clean up deserted travis ci config by @HeavenTonight in #4450
  • Move apollo-demo, scripts/docker-quick-start and scripts/apollo-on-kubernetes out of main repository by @nobodyiam in #4440
  • Optimize apolloconfigdb-v190-v200-after.sql by @klboke in #4470
  • Optimize performance of ‘/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces’ interface queries by @klboke in #4473
  • Fix test case NamespaceServiceTest.testFindNamespace() by @klboke in #4491
  • Refactor(apollo-biz): simplify the code of ReleaseService by @mghio in #4502
  • Replace the deprecated SHA-1 algorithm for generating open-api token by @mghio in #4504
  • Refactor ItemSetService(updateSet Item) and ConfigChangeContentBuilder a little bit by @mghio in #4515
  • Refactor tryToGetClientIp method by @klboke in #4514
  • Fix transcation invalid by @ksice in #4509
  • Refactor: Simplify code by @mghio in #4524
  • Update apollo-introduction.md by @ddzyan in #4534
  • Add index for table ReleaseHistory by @mghio in #4550
  • Refactoring the message splicing of internal Exceptions by @klboke in #4571
  • Fix: add missing @OverRide annotation for ApolloEurekaClientConfig#getEurekaServerServiceUrls by @CalebZYC in #4575
  • Add overloaded shortcut method to register BeanDefinition by @liaozan in #4574
  • Docs: misspelled recommend by @llnancy in #4582
  • Docs: add a version notice in the Open API documentation by @mghio in #4585
  • Docs: add nodejs client sdk by @ChoGathK in #4590
  • Move apollo-core, apollo-client, apollo-mockserver, apollo-openapi and apollo-client-config-data to apollo-java repo by @nobodyiam in #4594
  • Fix doc bug by @lepdou in #4579
  • Fixes testUpdateBranchGrayRulesWithUpdateOnce by @ZhewenFu in #4599
  • Fix flaky test in apollo-biz by @anantdahiya8 in #4618
  • Docs: fix markdown code blocks by change 4 back quote to 3 back quote by @hxpdong in #4631
  • Refactor: remove app.properties and move some config file’s location by @Anilople in #4637
  • Docs: upgrade rainbond deploy docs version to 2.0.1 by @week2311 in #4652
  • Add an apollo-go client by @xnzone in #4665
  • Config cookie same site to lax by @nobodyiam in #4664
  • Update docker quick start document by @schneiderlin in #4675
  • Add portal https guide by @nobodyiam in #4676
  • Unify the experience of using the portal UI by @klboke in #4681
  • Simplify url assembly in test cases by @klboke in #4682
  • Add github action to publish docker image by @nobodyiam in #4685
  • Delete unused code by @klboke in #4701
  • Docs: add apollo rust client by @liushv0 in #4704

Breaking Changes

As was discussed in #4353, apollo drops the support for the flyway database migration tool.

Installation

Please refer to the Distributed Deployment Guide.

How to upgrade from v2.0.1 to v2.1.0

  • Apply apolloconfigdb-v200-v210.sql to ApolloConfigDB
  • Deploy v2.1.0 executables with the following sequences:
    • apollo-configservice
    • apollo-adminservice
    • apollo-portal
  • Execute the following SQL to clear the spring sessions as spring security sessions are not compatible between versions, see spring-projects/spring-security#9204

use ApolloPortalDB; delete from `SPRING_SESSION_ATTRIBUTES`; delete from `SPRING_SESSION`;

New Contributors

  • @shenhuaxin made their first contribution in #4409
  • @lorgine-li made their first contribution in #4414
  • @Anthony-Lu made their first contribution in #4419
  • @zhangyangx made their first contribution in #4429
  • @HeavenTonight made their first contribution in #4433
  • @tianzhou made their first contribution in #4441
  • @falser101 made their first contribution in #4437
  • @ksice made their first contribution in #4509
  • @ddzyan made their first contribution in #4534
  • @AbnerHuang2 made their first contribution in #4519
  • @SunnyBoy-WYH made their first contribution in #4533
  • @furaul made their first contribution in #4542
  • @liaozan made their first contribution in #4574
  • @llnancy made their first contribution in #4582
  • @ren-jq101 made their first contribution in #4587
  • @ChoGathK made their first contribution in #4590
  • @wutingjia made their first contribution in #4604
  • @webSue made their first contribution in #4592
  • @ZhewenFu made their first contribution in #4599
  • @anantdahiya8 made their first contribution in #4618
  • @David-zhang-beep made their first contribution in #4622
  • @hxpdong made their first contribution in #4631
  • @week2311 made their first contribution in #4652
  • @xnzone made their first contribution in #4665
  • @wanggang19 made their first contribution in #4662
  • @schneiderlin made their first contribution in #4675
  • @liushv0 made their first contribution in #4704

Related news

GHSA-368x-wmmg-hq5c: Apollo has potential access control security issue in eureka

### Impact If users expose the apollo-configservice to the internet (which is not recommended), there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and apollo-adminservice . ### Patches Login authentication for eureka was added in https://github.com/apolloconfig/apollo/pull/4663 and was released in [v2.1.0](https://github.com/apolloconfig/apollo/releases/tag/v2.1.0). ### Workarounds To fix the potential issue without upgrading, simply follow the advice that does not expose apollo-configservice to the internet. ### References [Apollo Security Guidence](https://www.apolloconfig.com/#/en/usage/apollo-user-guide?id=_71-security-related) ### For more information If you have any questions or comments about this advisory: * Open an issue in [issue](https://github.com/apolloconfig/apollo/issues) * Email us at [[email protected]](mailto:apo...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907