Mitigations for Reported Vulnerability

smu · December 21, 2023, 10:49pm

On 21 Dec a vulnerability was reported to CrateDB regarding authentication that could potentially affect all users. We have taken immediate action to remediate and have posted details here: Disable trust of HTTP X-Real-IP header by default. The CrateDB team currently has no evidence that the issue was exploited or data inappropriately disclosed. Customers are encouraged to implement recommended mitigations while we continue to investigate and monitor the situation.

smu · December 21, 2023, 10:53pm

We’ve just now published new CrateDB releases for all 5.2, 5.3, 5.4 and 5.5 versions to the testing channels which contain the related fix.

Tu0Laj1 · December 22, 2023, 7:34am

As the discoverer of this vulnerability, I think Cratedb’s timely repair measures and responsible disclosure policy are excellent.

amotl · December 22, 2023, 9:17am

Dear @Tu0Laj1,

first of all, thank you for reporting the flaw to us.

However, handling the responsible disclosure well would have initially been your obligation. Please try to reach out to the vendor next time before you will publish a security vulnerability in the open. This is what responsible disclosure is all about.

With kind regards,
Andreas.

Tu0Laj1 · December 22, 2023, 9:27am

First of all, I apologize because I did not find a specific channel to provide feedback on security vulnerabilities in a prominent location on the GitHub of Cratedb. Someone has previously inquired about this issue: List of CVE in Crate DB · Issue #15172 · crate/crate · GitHub

amotl · December 22, 2023, 9:29am

Thank you for your feedback. We will try to improve the discoverability how to report security incidents to us, by making it more prominent.

Tu0Laj1 · December 22, 2023, 9:33am

Adding a security vulnerability feedback method to the README file of the github in Cratedb is a good way, isn’t it, or SECURITY.md

amotl · December 22, 2023, 9:50am

Good idea. I’ve just submitted a corresponding patch. Thank you again.

– Documentation: Add notices about reporting security flaws by amotl · Pull Request #15260 · crate/crate · GitHub

smu · December 22, 2023, 1:37pm

All related releases (5.2.11, 5.3.8, 5.4.7, 5.5.2) have been declared stable just now and thus are available at the stable channels.
Official docker images will be available once Update CrateDB to 5.2.11, 5.3.8, 5.4.7 and 5.5.2 by seut · Pull Request #15962 · docker-library/official-images · GitHub is merged.

Tu0Laj1 · December 27, 2023, 8:02am

Great, I reported a new vulnerability through this new vulnerability feedback method and hope it can be resolved as soon as possible.

Topic		Replies	Views
Security Vulnerability - Log4Shell RCE 0-day exploit CrateDB	11	2501	January 25, 2022
CrateDB Prometheus Adapter croaks with err="context deadline exceeded" 3rd Party Tools	16	2305	February 12, 2024
Why CrateDB admits access to everyone as default user with all privileges? Probable security issue? CrateDB	6	265	September 9, 2023
Diagnose Crate critical health CrateDB	1	536	October 14, 2021
Crate db information schema is missing the table we created CrateDB	3	496	April 8, 2022

Mitigations for Reported Vulnerability

Related Topics