gravitational/teleport v16.5.11

Teleport 16.5.11

on GitHub

Description

Security fixes

This patch includes some security fixes.
These issues are present in previous v16 releases.
Impacted users are recommended to upgrade their auth and proxy servers to the latest version.

[High] Short to long term access escalation in Okta integration

• Enterprise fix: Verify required Okta OAuth scopes during plugin creation/update.

In Okta integration configurations with enabled access lists sync, a user with an approved just-in-time access request to an Okta application could be unintentionally promoted to an access list granting access to the same application. This would result in the access to the Okta app/group persisting after the access request expiration.

This vulnerability affects Okta integration users who have access lists sync enabled. You can check whether you have an Okta integration installed with access lists sync enabled either in the Teleport web UI under Zero Trust Access / Integrations page or by running “tctl get plugins/okta” CLI command and looking at the “spec.settings.okta.sync_settings.sync_access_lists” flag.

[Medium] Unsanitized user input affecting PKINIT (Kerberos)

• Fixed users being able to overwrite host files on SQL Server database systems when using Kerberos with PKINIT flow. #55143

Other fixes and improvements

• Fixed unknown resource kinds from rendering errors in the web UI. #55210
• Fixed the formatting of the cache_component label for the Prometheus metrics teleport_cache_health and teleport_cache_last_reset_seconds. #55192
• Fixed tctl rendering of timestamps in BotInstance resource YAML. #55164
• Fixed an issue with Hardware Key Support on Windows where a command would fail if the PIN prompt was not answered within 5 seconds. #55109
• Fixed an issue where the "Allowed Users" field from "tsh db ls" may include irrelevant entities. #55069
• Fixed database discovery failing when there are more than 5 OpenSearch domains. #55059

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

labels: security-patch=yes