This update contains the following security fixes:
- Security: prevent Sentry and Injector from applying the
daprsystem Configuration from a non control plane namespace.
Additionally, this patch release contains bug fixes:
- Fixed Sentry authentication validator rejecting valid requests.
- Fixed RabbitMQ not returning error when initialising component
- Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
- Fixed Dapr Runtime panic for malformed/unexpected workflow URLs
- Fixed an issue where Azure Blob Storage components cannot be used with Azure Blob Reader permission alone
- Fixed incorrect error message in the Azure EventHubs components
- Fixes an issue where the Consul nameresolution component only accepted IP addresses and not hostnames.
- Fixes an issue in the Redis PubSub component where a PubSub subscription could not recover under certain conditions.
- Security: Several dependency upgrades to address security issues
Security: Sentry and Injector only apply
daprsystem Configuration from the control plane namespace
Sentry and Injector will apply the
daprsystem configuration from a non-control plane namespace if the namespace name is alphabetically higher than the control plane namespace name.
Accidentally or maliciously, a Kubernetes user can write a Configuration in a non-control plane namespace that will be applied by Sentry and Injector.
This can re-write the Sentry CA, disable mTLS, or otherwise bring down the entire Dapr cluster.
Sentry and Injector currently list Configurations, before matching on the list for the
daprsystem Configuration, without filtering for namespaces.
Update Sentry and Injector to only get the
daprsystem Configuration from the namespace where the Dapr control plane is installed, instead of listing all Configurations.
Fixed Sentry rejecting valid requests from Daprd
Dapr would fail to request an identity certificate from Sentry when residing in a Namespace or using a Service Account with a sufficiently long name.
Users on Dapr 1.12.0 can observe Dapr sidecars failing to start.
Sentry validates that clients cannot request for an app ID which is over 64 characters in length.
Sentry also still accepts requests which use the legacy identifier of
<namespace>:<service account> which was not taken account for when doing the 64 character evaluation.
Sentry now evaluates the actual app ID being requested, whether or not the client is using the legacy or app ID as the identifier.
Fixed RabbitMQ not returning error when initialising component
A RabitMQ component may be considered healthy, when in fact it failed to initialise.
Dapr or downstream consumers of Dapr would consider RabitMQ components to be healthy when in fact they were not, causing improper reporting of status.
RabbitMQ was not returning an error when initialising a component, causing Dapr to consider the component healthy.
Failure to connect to RabbitMQ during initialization now causes an error to be returned, allowing Dapr to consider the component as unhealthy.
Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
With Resiliency enabled, in case of HTTP service invocation, if one application sends error status codes (HTTP codes <200 or >=400), Dapr returns a response with a generic 500 error, instead of the actual response error code.
Applications will receive the wrong status code in case of HTTP service invocation returning a failure error code with Resiliency enabled.
A bug was discovered in how errors were handled when Resiliency was enabled, causing all errors from the application to be "swallowed" by Dapr.
Resiliency code now returns the correct status code to the application.
Fixed Dapr Runtime panic for malformed/unexpected workflow URLs
Invoking certain Workflow APIs using HTTP with malformed URLs can cause Dapr to panic.
Impacts users on Dapr 1.12.0.
The Daprd metrics handler for workflows did not correctly handle malformed or unexpected URLs, and would panic if the URL was not in the expected format.
The Daprd metrics handler for workflows now correctly handles malformed or unexpected URLs.
Fixed an issue where Azure Blob Storage components cannot be used with Azure Blob Reader permission alone
The Azure Blob Storage component cannot be used with Azure Blob Reader permission alone.
Users on Dapr 1.12.0 cannot use the Azure Blob Storage component with Azure Blob Reader permission alone.
The component attempts to create a storage account (even when it exists already) but is not authorized to do so due to a lack of permission.
Added a boolean metadata option disableEntityManagement which now can be used to skip the attempt to create the storage container.
Fixed incorrect error message in the Azure EventHubs components
Azure EventHub component returns a warning message saying the storageAccountKey will be used but StorageAccountName is actually used in that condition.
Users on Dapr 1.12.0 may be confused by the warning message.
The component was using the StorageAccountName instead of the StorageAccountKey.
The component now emits the correct warning message.
Fixes an issue where the Consul nameresolution component only accepted IP addresses and not hostnames.
Dapr 1.12.0 was unable to add and resolve hostnames using the Consul nameresolution component.
Users on Dapr 1.12.0 were unable to resolve hostnames using the Consul nameresolution component.
A previous community contribution to improve IPv6 support inadvertently removed support for host names by returning an error for any string that does not parse as an IPv4 or IPv6 address.
Support for hostnames was added once again.
Fixes an issue in the Redis PubSub component where a PubSub subscription could not recover under certain conditions.
The Redis PubSub component could experience a rare situation where PubSub subscriptions would seize to function, causing the Dapr sidecar to print Redis error logs containing the word
NOGROUP message is indicative of the consumer group no longer existing. This could be because the group or stream was manually deleted outside of Dapr or because the external Redis server was restarted/reconfigured.
To avoid the excessive
NOGROUP logs in this rare situation Dapr will now attempt to recreate the consumer group for the given topic/stream when this error is encountered.
Security: Several dependency upgrades to address security issues
- CVE-2023-45283: Windows specific vulnerability in GO standard library
- gRPC-Go HTTP/2 Rapid Reset vulnerability
- HTTP/2 rapid reset can cause excessive work in net/http
- NATS.io: xkeys seal encryption used fixed key for all encryption
- NATS.io: Adding accounts for just the system account adds auth bypass
- 🔍View and search all dapr releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!