Description
This release of Teleport contains multiple security fixes discovered as a part of a routine security audit.
Insufficient authorization check in self-hosted MySQL database access
Teleport MySQL proxy engine did not handle internal MySQL protocol command that allows to reauthenticate the active connection.
This could allow an attacker with a valid client certificate for a particular database user to reauthenticate as a different MySQL user created using require x509 clause.
Insufficient authorization check in MongoDB database access
Teleport MongoDB proxy engine did not implement processing for all possible MongoDB wire protocol messages.
This could allow an attacker with a valid client certificate to connect to the database in a way that would prevent Teleport from enforcing authorization check on the database names.
Authorization bypass in application access
When proxying a websocket connection, Teleport did not check for a successful connection upgrade response from the target application.
In scenarios where Teleport proxy is located behind a load balancer, this could result in the load balancer reusing the cached authenticated connection for future unauthenticated requests.
Actions
Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure:
- For Database Access users we recommend upgrading database agents that handle connections to self-hosted MySQL servers.
- For Application Access users we recommend upgrading application agents.
Download
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.
For Teleport Enterprise customers, 8.0.4 is identical to 8.0.3.