X-Road v6.20.1 Release Notes

Release Info

Version number6.20.1
Release date07.02.2019
Supported versions
  • 6.18.X
  • 6.19.X
  • 6.20.X
Supported platforms

Central Server

  • Ubuntu 14.04 LTS
  • Ubuntu 18.04 LTS

Configuration Proxy

  • Ubuntu 14.04 LTS
  • Ubuntu 18.04 LTS

Security Server

  • Ubuntu 14.04 LTS
  • Ubuntu 18.04 LTS
  • RHEL 7
Official documentationhttps://github.com/nordic-institute/X-Road/tree/master/doc
Source codehttps://github.com/nordic-institute/X-Road/tree/master
Software licenseMIT
On this page:

Changes in This Release

Summary

  • This patch release includes a security fix for management services.
  • The patch needs to be applied on the Central Server.
  • Security Servers are not affected and therefore, they don't need to be patched.

Completed Issues

Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.

Issue IDTypeSummary
XRDDEV-351Fix

Fix a vulnerability in management services that enables unauthenticated server to submit management requests on other members’ behalf.

About the vulnerability

  • The management services on the Central Server are exposed through port 4001.
  • The port needs to be open so that Security Servers can send the authentication certificate registration requests (authCertReg) to the Central Server.
  • It is assumed that all other management requests must go through the management Security Server.
    • The management Security Server is responsible for authentication.
  • However, the other management services - Security Server client registration request (clientReg), Security Server client deletion request (clientDeletion), Security Server authentication certificate deletion request (authCertDeletion) - can also be reached directly via port 4001 without authentication.
    • All Security Servers at least need to have access to port 4001 on the Central Server.
  • If one has access to port 4001 on Central Server:
    • It is possible to send an unauthenticated clientDeletion request, and the Central Server will delete the client.
    • It is possible to send an unauthenticated clientReg request, and the Central Server will create a client registration request.
    • It is possible to send an unauthenticated authCertDeletion request, and the Central Server will delete the authentication certificate. The authentication certificate to be deleted is sent as a request parameter and therefore, the sender of the request must have access to the certificate to be deleted.

In addition, it’s possible to launch the generation of the global configuration remotely by accessing "https://<CENTRAL_SERVER_HOST>:4001/managementservice/gen_conf". The content of global configuration cannot be modified, but that the generation creates at least some CPU load, and might cause a DoS by filling up the disk.

Fix

The vulnerability has been fixed splitting management services in two:

  • Authentication certificate registration service (authCertReg)
    • Runs on port 4001
  • Security Server client registration service (clientReg), Security Server client deletion service (clientDeletion), authentication certificate deletion service (authCertDeletion)
    • Run on port 4002

Before the fix, all management services were running on port 4001. After the fix, authCertReg runs on port 4001 and other management services on port 4002. In this way access to authentication certificate registration service and other management services can be controlled separately by a firewall as they run on different ports. Access to port 4002 must be allowed from management Security Server(s) only.

In addition, it is not possible to launch the generation of the global configuration through port 4001 anymore. The generation of the global configuration can be launched from localhost (Central Server) or through port 4400.

Changes to configuration

After the fix has been applied, the X-Road operator must update the management services URL on management Security Server(s). The new management services URL depends on whether management services are accessed using HTTP or HTTPS.

Current URLNew URL
http://<CENTRAL_SERVER_HOST>:4400/managementservice/http://<CENTRAL_SERVER_HOST>:4400/managementservice/manage/
https://<CENTRAL_SERVER_HOST>:4001/managementservice/https://<CENTRAL_SERVER_HOST>:4002/managementservice/manage/

Access to ports 4002 and 4400 must be allowed from management Security Server(s) only.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

DependencyOld VersionNew VersionNotes
-


Other Notes

-

Package Repositories

RepositoryURL
Bionic
deb https://artifactory.niis.org/xroad-release-deb bionic-<version> main
Trusty
deb https://artifactory.niis.org/xroad-release-deb trusty-<version> main
RPM
https://artifactory.niis.org/xroad-release-rpm/rhel/7/<version>

Repository signing key can be downloaded from: https://artifactory.niis.org/api/gpg/key/public

Packages

Bionic

Package

SHA256 checksum

xroad-addon-hwtokens_6.20.1-1.ubuntu18.04_all.deb

f39ba653a261c994d2acb76f2f2182dc728739f96b5781ba4d941fcd5478302c

xroad-addon-messagelog_6.20.1-1.ubuntu18.04_all.deb

1c6de31cf5511a966ee7eee84b68e7aa6508898a89c50dbec3c400670d1a3c8a

xroad-addon-metaservices_6.20.1-1.ubuntu18.04_all.deb

daff0df8da164f33356b97ba7cd8ee584523d3ad2b641085cfd4c1901a4d0559

xroad-addon-opmonitoring_6.20.1-1.ubuntu18.04_all.deb

c77ab1a264fbdcba39eebfedafb2be2d4721c319dc4805998adb892368d86bb3

xroad-addon-proxymonitor_6.20.1-1.ubuntu18.04_all.deb

3f93a243997b765af6daf95ef1d0459400d4ff7365e1d0a6aab8c0014d5c7579

xroad-addon-wsdlvalidator_6.20.1-1.ubuntu18.04_all.deb

b6ab51028dab2505803f9f29254efbc653062b88f905a25fe202c29536574e8a

xroad-autologin_6.20.1-1.ubuntu18.04_all.deb

307e6b1f0224975dc238c8e3738016620f3707f85a9d3254ff6e7fa2a404af1e

xroad-base_6.20.1-1.ubuntu18.04_amd64.deb

ef6658db2819654bebfc849dc4c29f10224251be4718fb11ab34c383d21b3b6a

xroad-center-clusterhelper_6.20.1-1.ubuntu18.04_all.deb

7069e9d1b912c1e7421377b5fc6e56ecf8b673b025187edae023b3fa9112c7b4

xroad-center_6.20.1-1.ubuntu18.04_all.deb

cd6b0b8ad772b9139dba2e4f8cf57f0835747d86080a7d33b82bef29a4cf3f16

xroad-centralserver-monitoring_6.20.1-1.ubuntu18.04_all.deb

c5dc1a5dbf14c881f2ca4d80ea893c89e89ae8e8baa7b5209fd441d6ad27a2fd

xroad-centralserver_6.20.1-1.ubuntu18.04_all.deb

6dc32f8a5801bdf1d982f28083bd98a740413bffa43d3d53a4065c968a99b807

xroad-confclient_6.20.1-1.ubuntu18.04_amd64.deb

77aec770ef5e4f40d5bd2c57db2b83944964977578966021e3b153054012e94e

xroad-confproxy_6.20.1-1.ubuntu18.04_all.deb

c7ab0d09e5b1f7fc7f5722b0be1fede1c15b74e513031d33ab8176dc0c4e43f2

xroad-jetty9_6.20.1-1.ubuntu18.04_all.deb

eb4af9b265359e54082344af87503efd3672d68d6e6d88759d7063e7ff458e04

xroad-monitor_6.20.1-1.ubuntu18.04_all.deb

1d0296fd3e02c143d6c6e52d3232c59b29cd651491c9a51a426f91934e86f076

xroad-nginx_6.20.1-1.ubuntu18.04_amd64.deb

9ef5ebb1c7a682d83915229a4b2e353b91e4b921c71433129e58948326487914

xroad-opmonitor_6.20.1-1.ubuntu18.04_all.deb

641e539f0b48d4f48b1be4e85d79cbcdcf5342be40a418b7d93a301aebab010e

xroad-proxy_6.20.1-1.ubuntu18.04_all.deb

4977710c356e6caa29a5268e0181973090fa13ba8c96ee8e96bc0e82aca06022

xroad-securityserver-ee_6.20.1-1.ubuntu18.04_all.deb

5fb5ff77b4955a475a37556f4a5f178c80a66ddb9f926904e2417137c6d68e83

xroad-securityserver-fi_6.20.1-1.ubuntu18.04_all.deb

b24d169e731cd2879df92424913b7f33d1f0502fc149748b494cc71d6f22b7e5

xroad-securityserver_6.20.1-1.ubuntu18.04_all.deb

9ae47f3828d7e242b0fb593beddf3330ef5fde157a3a28608b1da3d17d4fe473

xroad-signer_6.20.1-1.ubuntu18.04_amd64.deb

fa0b41f337697739b0f39c25316c152b7223b1cd9259ce02ce72a08be2519888

Trusty

Package

SHA256 checksum

xroad-addon-hwtokens_6.20.1-1.ubuntu14.04_all.deb

c9a5dfaf2d8d7b0c7ee32e7b461ebbca3db2dead7af7371f1e80d253d2aba7df

xroad-addon-messagelog_6.20.1-1.ubuntu14.04_all.deb

33d323a7537b21e9c75a902753da95a22689d81c24262a3df32acdd484ce0ffc

xroad-addon-metaservices_6.20.1-1.ubuntu14.04_all.deb

faf9aae055714c7f5e1e1a08ba3107af78f22ec0347b8b00190cedfd3aea2c13

xroad-addon-opmonitoring_6.20.1-1.ubuntu14.04_all.deb

911d8f865ea340618659d01ff300f2f829a6232cf4bae3eeee68abfe270c78f8

xroad-addon-proxymonitor_6.20.1-1.ubuntu14.04_all.deb

b071deee441898cb0e131fa6e8857744b5803ed12698272cdf9237511a2ecb83

xroad-addon-wsdlvalidator_6.20.1-1.ubuntu14.04_all.deb

bc406406825693d9cbadbd0879ce4bab9ed1187a5c0d18a4d984ff9b1e2124cc

xroad-autologin_6.20.1-1.ubuntu14.04_all.deb

e78fe7cb7dc7ced0cf2f8d5bffecbc6928be068025052dc06f8fa82580c5e734

xroad-base_6.20.1-1.ubuntu14.04_amd64.deb

63da37b5e4262ced581dd40b250a58304145588a0fa57c552286a4b80076e31c

xroad-center-clusterhelper_6.20.1-1.ubuntu14.04_all.deb

d550edb2c5f24d41fbfd1b0195cd4e7994d675a5b57467b18305d4b03589600f

xroad-center_6.20.1-1.ubuntu14.04_all.deb

571f010626d0550334cdf53c38b14c763ba12fc145ded0875ec070071cacbed7

xroad-centralserver-monitoring_6.20.1-1.ubuntu14.04_all.deb

dc871a8bc855008833cd78b7dc02703a19058effb913accbc42ba10f9f3a5a3e

xroad-centralserver_6.20.1-1.ubuntu14.04_all.deb

88c1495342072adb69a72ecd3004e96b98bcbda9e191c8e1c72e74289d86d514

xroad-confclient_6.20.1-1.ubuntu14.04_amd64.deb

651ed592e3a56a6bbd059e3579ce80109b527c2bcdb9331757f1c1f184b69cc3

xroad-confproxy_6.20.1-1.ubuntu14.04_all.deb

f61a73cfaadda15f2199b21a4595d774e22fbed5cf2768c9c8dce20aaf8a2619

xroad-jetty9_6.20.1-1.ubuntu14.04_all.deb

55dbcdc08f954cbd83b143bdcce06c8941594706145d5b57b21893fb16347e2b

xroad-monitor_6.20.1-1.ubuntu14.04_all.deb

b3e6ed78e81afb8f8833ba488fe33caa0f43ddde23f58e59b76a8d3dd2f092a5

xroad-nginx_6.20.1-1.ubuntu14.04_amd64.deb

a831230262d11b547d255d884f39a565a0ccafcda718856d06f3cda2510da7a9

xroad-opmonitor_6.20.1-1.ubuntu14.04_all.deb

0481418ffa244a3974463dce6a2da76f341b8839805d21ea96a4cdec798abbcc

xroad-proxy_6.20.1-1.ubuntu14.04_all.deb

a8fba6e503c9b2bfedb6c2de1b4d8cefce852d41bcbd9f5899de916976f5adf9

xroad-securityserver-ee_6.20.1-1.ubuntu14.04_all.deb

2c06ddea36f245c2bd76da2e42263a124dab9e8113135820b285b91c0ebe0ffa

xroad-securityserver-fi_6.20.1-1.ubuntu14.04_all.deb

15206da004e7d081e5612f98282627ea147e7e6ce9a47e160c927413c1ba92d9

xroad-securityserver_6.20.1-1.ubuntu14.04_all.deb

7353ba66d289cf50903b9a10a7bac4bfd1b3ff3c2739f811c273a6c66d7669fd

xroad-signer_6.20.1-1.ubuntu14.04_amd64.deb

cb4cd436f62529d4aae347cbc48a364d3f55123cf550a779474b6b650ca37e15


RPM

Package

SHA256 checksum

xroad-addon-messagelog-6.20.1-1.el7.x86_64.rpm

b259622a41d7ad333fc2522d0459a20584db2d8e5e7b950a8be6974823326d19

xroad-addon-metaservices-6.20.1-1.el7.x86_64.rpm

17be57ea5201dbad993b07e0a2318632f07b43e70a2f6242c1c0e36f968974c3

xroad-addon-opmonitoring-6.20.1-1.el7.x86_64.rpm

64928eec35917787af368131ff3c190a23dbae9dd0c15c244ff60e3786aecef6

xroad-addon-proxymonitor-6.20.1-1.el7.x86_64.rpm

d8d7edabdb5e09c4e659d4af5e67b46a30a9adc47bc862a15a2ea8d89430dff4

xroad-addon-wsdlvalidator-6.20.1-1.el7.x86_64.rpm

4dc7a12ad0aad62752c138a4fe715470c58072b3499c0c648481f8053d4de190

xroad-autologin-6.20.1-1.el7.noarch.rpm

7f3211cb7390feb14b331615cdebed2920d82205c6a5f4692a4ac7079f1a49fb

xroad-base-6.20.1-1.el7.x86_64.rpm

27f6efde034ec11bb7ddad3a48d0d37faca6008a2601446847c770900ff420e7

xroad-common-6.20.1-1.el7.x86_64.rpm

0d43e448164b77dbdc30449bf603458404c6b8933a60dedd8bb48681d3d3c1e0

xroad-confclient-6.20.1-1.el7.x86_64.rpm

40bfd9d919527cd75c899d1c7392cfb162a781473ebc7fd70a4c44cb8f4c4999

xroad-jetty9-6.20.1-1.el7.x86_64.rpm

94c7937c30a785a7f3b03d92746e869a006fc7dc8c435f3f3545932987747706

xroad-monitor-6.20.1-1.el7.x86_64.rpm

0b752a1d32f69766689144fe1ad49cc18e49f89e018155e85189daad9bae903f

xroad-nginx-6.20.1-1.el7.x86_64.rpm

2bbf3c5b0c7dae9e7e918e53bbb071ee0d9afb446543701eb0ffb744e4fcbfe8

xroad-opmonitor-6.20.1-1.el7.x86_64.rpm

9901ea36aa9d397cef826af5967526995f7878651ef2e012356b83e308bf6568

xroad-proxy-6.20.1-1.el7.x86_64.rpm

446a2965957c87f3820c5be9597581d996fba01d1aff88984fdbef9c17b0fe00

xroad-securityserver-6.20.1-1.el7.noarch.rpm

1b9db44df1e6e8ceefcd1944e595c85ba4e459df1f7c385bd592910856a7c1a3

xroad-securityserver-fi-6.20.1-1.el7.noarch.rpm

0142a957ebc820beccc1e3dc9f62ccda154ca05b9077a183ac333f0dcf152779

xroad-signer-6.20.1-1.el7.x86_64.rpm

3a33078417433476145cf25fcec098ac70965a2e9c4443ab362129ad4ac67603