Skip to content

Teleport 3.1.10
Compare
Choose a tag to compare
@russjones russjones released this 03 Sep 20:02
· 17537 commits to master since this release
v3.1.10
c062eaa

This release of Teleport contains multiple security fixes.

Description

As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 4.0, 3.2, and 3.1. We strongly suggest upgrading to the latest release.

Details

The most serious vulnerabilities (with severity high and medium) were centered around incorrect handling of session data. If an attacker is able to gain valid x509 credentials of a Teleport node, they could use the session recording facility to read/write arbitrary files on the Auth Server or potentially corrupt recorded session data.

This vulnerability can be only exploited using credentials from a previously authenticated client, there is no known way to exploit this vulnerability outside the cluster by non-authenticated clients.

Actions

To mitigate these issues, upgrade all nodes, proxies, and auth servers. Upgrades should follow the normal Teleport upgrade procedure: https://gravitational.com/teleport/docs/admin-guide/#upgrading-teleport.

Download

Download one of the following releases to mitigate the issue:

Enterprise 4.0.5
Enterprise 3.2.8
Enterprise 3.1.10

All current and previous releases of Enterprise can be downloaded from https://dashboard.gravitational.com.

Assets 2
Loading