gravitational/teleport v12.1.5

Teleport 12.1.5

on GitHub

Description

12.1.5 (03/30/23)

This release of Teleport contains 2 security fixes as well as multiple improvements and bug fixes.

[High] OS authorization bypass in SSH tunneling

When establishing an SSH port forwarding connection, Teleport did not
sufficiently validate the specified OS principal.

This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node using a non-existent Linux user.

The connection attempt would show up in the audit log as a "port" audit event
(code T3003I) and include Teleport username in the "user" field.

[High] Teleport authorization bypass in Kubernetes Access

When authorizing a Kubernetes Access request, Teleport did not adequately
validate the target Kubernetes cluster.

This could allow an attacker in possession of valid Kubernetes agent credentials
or a join token to trick Teleport into forwarding requests to a different
Kubernetes cluster.

Every Kubernetes request would show up in the audit log as a "kube.request"
audit event (code T3009I) and include the Kubernetes cluster metadata.

Other improvements and fixes

• AMIs
  • Added support for configuring TLS routing mode in AMIs. #23678
• Application Access
  • Added support for application access behind ALB. #23054
  • Fixed app access requests being redirected to leaf's public address in some cases. #23220
  • Reduced log noise. #23365
  • Added ability to specify command in AWS tsh proxy. #23835
• Bootstrap
  • Added provision tokens support. #23474
• CLI
  • Added app_server support to tctl resource commands. #23136
  • Display year in tctl commands output. #23371
  • Fixed issue with tsh reporting errors about missing webauthn.dll on Windows. #23161
  • Updated tsh status to not display internal logins. #23411
  • Added --cluster flag to tsh kube sessions command. #23825
  • Fixed issue with invalid TLS mode when creating database resources. #23808
• Database Access
  • Added support for canceling in-progress PostgreSQL requests in database access. #23467
  • Fixed issue with query audit events always having success: false status. #23274
• Desktop Access
  • Updated setup script to be idempotent. #23176
• Helm Charts
  • Added ability to set resource limits and requests for pre-deployment jobs. #23126
• Infrastructure
  • Introduced distroless Teleport container images. #22814
• Kubernetes Access
  • Fixed issue with tsh kube credentials failing on remote clusters. #23354
  • Fixed issue with tsh kube credentials loading incorrect profile. #23716
• Machine ID
  • Added ability to specify memory backend using CLI parameters. #23495
  • Added support for Azure delegated joining. #23391
  • Added support for Gitlab delegated joining. #23191
  • Added support for trusted clusters. #23390
  • Added FIPS support. #23850
• Proxy Peering
  • Fixed proxy peering issues when running behind a load balancer. #23506
• Reverse Tunnels
  • Fixed issue when joining leaf cluster over tunnel port with enabled proxy protocol. #23487
  • Fixed issue with joining agents over reverse tunnel port. #23332
• Performance & scalability
  • Improved tsh ls -R performance in large clusters. #23596
  • Improved performance when setting session environment variables. #23834
• Server Access
  • Fixed issue with successful SFTP transfers returning non-zero code. #23729
• SSO
  • Fixed issue with Github Enterprise SSO not working with custom URLs. #23568
• Teleport Connect
  • Added support for config customization. #23197
  • Fixed unresponsive terminal on Windows Server 2019. #22996
• Tooling
  • Updated Electron to 22.3.2. #23048
  • Updated Go to 1.20.2. #22997
  • Updated Rust to 1.68.0. #23101
• Web UI
  • Added MFA support when copying files. #23195
  • Fixed "ambiguous node" error when downloading files. #23152
  • Fixed intermittent "client connection is closing" errors in web UI after logging in. #23733

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes