Mitigations for Reported Vulnerability

On 21 Dec a vulnerability was reported to CrateDB regarding authentication that could potentially affect all users. We have taken immediate action to remediate and have posted details here: Disable trust of HTTP X-Real-IP header by default. The CrateDB team currently has no evidence that the issue was exploited or data inappropriately disclosed. Customers are encouraged to implement recommended mitigations while we continue to investigate and monitor the situation.

1 Like

We’ve just now published new CrateDB releases for all 5.2, 5.3, 5.4 and 5.5 versions to the testing channels which contain the related fix.

2 Likes

As the discoverer of this vulnerability, I think Cratedb’s timely repair measures and responsible disclosure policy are excellent.

6 Likes

Dear @Tu0Laj1,

first of all, thank you for reporting the flaw to us.

However, handling the responsible disclosure well would have initially been your obligation. Please try to reach out to the vendor next time before you will publish a security vulnerability in the open. This is what responsible disclosure is all about.

With kind regards,
Andreas.

First of all, I apologize because I did not find a specific channel to provide feedback on security vulnerabilities in a prominent location on the GitHub of Cratedb. Someone has previously inquired about this issue: List of CVE in Crate DB · Issue #15172 · crate/crate · GitHub

1 Like

Thank you for your feedback. We will try to improve the discoverability how to report security incidents to us, by making it more prominent.

Adding a security vulnerability feedback method to the README file of the github in Cratedb is a good way, isn’t it, or SECURITY.md

1 Like

Good idea. I’ve just submitted a corresponding patch. Thank you again.

Documentation: Add notices about reporting security flaws by amotl · Pull Request #15260 · crate/crate · GitHub

1 Like

All related releases (5.2.11, 5.3.8, 5.4.7, 5.5.2) have been declared stable just now and thus are available at the stable channels.
Official docker images will be available once Update CrateDB to 5.2.11, 5.3.8, 5.4.7 and 5.5.2 by seut · Pull Request #15962 · docker-library/official-images · GitHub is merged.

Great, I reported a new vulnerability through this new vulnerability feedback method and hope it can be resolved as soon as possible.