We're pleased to announce the immediate availability of Senate Matching Release 1.5.1 (September 2019). This release is focused on addressing recently disclosed security vulnerabilities in the HTTP2 and gRPC protocols, as well as some minor bug fixes. The security vulnerabilities are not serious, however Data Republic recommends all customers upgrade their Contributor Nodes to this latest version.
Here's what you need to know:
About the vulnerability: Some denial of service (DoS) vulnerabilities were recently disclosed in the HTTP2 protocol by Netflix and Google security researchers. HTTP2 is used by Senate Matching for internal communication between the Contributor and Matcher Nodes, as well as Matchers and Aggregator Nodes (HTTP2 is the underlying transport mechanism for gRPC). Multiple vendors have issued related patches (see CERT Advisory). The affected Senate Matching components are:
Nginx (used in Contributor, Matcher and Aggregator Nodes). Vendor has released an update (see Change Log).
Golang libraries for HTTP2 and gRPC (used in Contributor, Matcher and Aggregator Nodes). Vendor has released updates (see Change Log).
Risk impact of vulnerability: Data Republic have assessed these vulnerabilities as low risk to customers using Senate Matching:
Vulnerabilities relate to the availability of services only, and do not allow an attacker to leak or modify information.
Contributor Nodes are not open to the Internet and are only accessible by internal teams.
Matcher and Aggregator Nodes require mutual TLS authentication and hence are not open to these attacks via the Internet (exploitation requires passing the SSL/TLS authentication steps).
- Actions: Data Republic has updated the affected components to the latest patched versions and extensively tested the latest release. We recommend customers upgrade when ready. Customers who have their Contributor Node hosted by DR will be automatically updated.
- Downtime: No system downtime was associated with this release. Downtime will be limited to the period during which Contributors are updating their own nodes.
Here's what you need to do:
All customers are encouraged to upgrade to the new release at their convenience.
To upgrade your Contributor Node, follow these steps:
1. Shutdown your current Contributor Node
To stop your currently running node, use the command contributor.sh down which will cleanly shutdown the Docker container.
$ sudo bash contributor.sh down
2. Update your start up script
Edit your version of contributor.sh to point to the latest Docker image tags. The relevant lines are given below (edit your file to match this):
export HITCH_DOCKER_IMAGE_TAG=contributor:1.5.1 # latest (Sep 2019)
export HITCH_UI_DOCKER_IMAGE_TAG=contributor-ui:1.5.1 # latest (Sep 2019)
3. Restart your Contributor Node
Start your Contributor Node with the contributor.sh up command. The script will download the latest version of the node software from our repository. Your data will be preserved during the update. The "-d" option starts the Docker containers in the background. Depending on your local environment, you may or may not need to run as sudo.
$ sudo bash contributor.sh up -d
Do I HAVE to update?
DR recommends all customers update to this latest version of the Contributor Node. Although the security vulnerabilities are relatively low risk all affected vendors have recommended patching as best practice.
Where do I get contributor.sh from?
Use your previously distributed version. Contact Customer Success if there are any issues.
How do I know what version I am running?
Use your browser to visit your Contributor Node UI. You do not need to log in. Check the bottom of the web page:
- If you see a message starting "Version" (e.g. "Version 1.5.1 (build gf962203)") then this is the current version of your Contributor Node.
- If you only see a copyright message, then you are running version 1.5.0 or earlier and should update.
What security / testing / review checks have been performed on this release?
- QA performed a full regression test and tested performance of token databases containing up to 20M records.
- Static code analysis (Gosec #164) scanned 159 files and found 0 errors or warnings.
- All code is peer-reviewed in a "pull request" by at least one other developer before it is accepted onto the release branch.
- All (automated) unit tests passed.
- All (automated) integration tests passed.
What else has changed in this release?
- Contributor UI now shows running Contributor version
- Deleting all records from matcher databases now concurrent
- Refactor Contributor Node code for easier / more modular testing
- Implemented static code analysis (Gosec) checks during build phase