Description
This release of Teleport contains multiple security fixes discovered as a part of a routine security audit.
Insufficient authorization check in self-hosted MySQL database access
Teleport MySQL proxy engine did not handle internal MySQL protocol command that allows to reauthenticate the active connection.
This could allow an attacker with a valid client certificate for a particular database user to reauthenticate as a different MySQL user created using require x509 clause.
Authorization bypass in application access
When proxying a websocket connection, Teleport did not check for a successful connection upgrade response from the target application.
In scenarios where Teleport proxy is located behind a load balancer, this could result in the load balancer reusing the cached authenticated connection for future unauthenticated requests.
Missing password confirmation on password change
Teleport did not check the old password if the cluster had "optional" second factor and user had no registered MFA devices.
This could allow an attacker with access to user's authenticated browser session to change their password.
Actions
Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure:
- For all Teleport users, we recommend upgrading auth servers.
- For Database Access users we recommend upgrading database agents that handle connections to self-hosted MySQL servers.
- For Application Access users we recommend upgrading application agents.
Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
For Teleport Enterprise customers, 6.2.22 is identical to 6.2.20.