Tyk Gateway v5.0.7

Fixed

• Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.
• Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.
• Fixed a performance issue when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against JWKS or the public key in the API Definition.
• Fixed a potential race condition where the DRL manager was not properly protected against concurrent read/write operations in some high load scenarios.
• Fixed High Priority CVEs identified in Tyk Gateway.
• Fixed a bug where a duplicate error message was returned when a custom Go Plugin returned an error. Thanks to @PatrickTaibel for highlighting the issue and suggesting a fix.
• Fixed an issue where enforced timeout values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by max_conn_time, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.

Tyk Dashboard v5.0.7

Fixed

• Embeded TIB v1.4.2 which fixed SSO Integration: Resolved issues affecting SAML and Azure-based Single Sign-On authentication.
• Added a new Dashboard configuration option allow_unsafe_oas. This permits the modification of Tyk OAS APIs via the Tyk Classic API endpoints. This is not recommended action due to the risk of inconsistent behaviour and potential for breaking changes while Tyk OAS is in Early Access. This is provided for early adopters and will be deprecated later, once Tyk OAS reaches full maturity.
• Fixed a security vulnerability with the Tyk Dashboard API where the api_version and api_id query parameters were potential targets for SQL injection attack.
• Fixed an issue encountered with the API Designer where fields defined in uptime_tests.check_list were not correctly handled. Uptime tests can now be configured for Tyk Classic APIs using the Raw API Definition editor.
• Fixed a problem for Azure SAML2.0 Identity provider that prevented users from authenticating.
• Fixed High Priority CVEs identified in Tyk Dashboard.
• Fixed an issue in the Dashboard Service Uptime page where the number of success hits was being incorrectly reported as the total number of hits, inclusive of failures. After this fix, the Success Column displays only the number of success hits.
• Fixed an issue where Tyk would not store the Policy Id in the API Definition for a policy that did not exist. When using JWT Authentication, the JWT Default Policy Id is stored in the API Definition. If this policy had not been created in Tyk at the time the API Definition was created, Tyk Dashboard would invalidate the field in the API Definition. When the policy was later created, there would be no reference to it from the API Definition. This was a particular issue when using Tyk Operator to manage the creation of assets on Tyk.
• Fixed an issue in the Tyk Dashboard where a user might not correctly inherit all permissions from their user group, and could incorrectly be granted visibility of Identity Management.
• Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This was due to the policy cleaning operation that is triggered when an API is deleted from a policy in a MongoDB installation. With this fix, the policy cleaning operation will not remove the final (deleted) API from the policy; Tyk recognises that the API record is invalid and denies granting access rights to the key.