Gravitational Teleport v3.1.10 Release Notes
Release Date: 2019-09-03 // over 4 years ago-
๐ This release of Teleport contains multiple security fixes.
Description
๐ As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 4.0, 3.2, and 3.1. We strongly suggest upgrading to the latest release.
Details
The most serious vulnerabilities (with severity high and medium) were centered around incorrect handling of session data. If an attacker is able to gain valid x509 credentials of a Teleport node, they could use the session recording facility to read/write arbitrary files on the Auth Server or potentially corrupt recorded session data.
This vulnerability can be only exploited using credentials from a previously authenticated client, there is no known way to exploit this vulnerability outside the cluster by non-authenticated clients.
Actions
โฌ๏ธ To mitigate these issues, upgrade all nodes, proxies, and auth servers. Upgrades should follow the normal Teleport upgrade procedure: https://gravitational.com/teleport/docs/admin-guide/#upgrading-teleport.
Download
๐ Download one of the following releases to mitigate the issue:
Enterprise 4.0.5
Enterprise 3.2.8
Enterprise 3.1.10๐ All current and previous releases of Enterprise can be downloaded from https://dashboard.gravitational.com.