X-Road v6.19.1 Release Notes

Owned by Petteri Kivimäki
Feb 11, 2019
3 min read

Release Info

Version number6.19.1
Release date07.02.2019
Supported versions
  • 6.18.X
  • 6.19.X
  • 6.20.X
Supported platforms

Central Server

  • Ubuntu 14.04 LTS

Configuration Proxy

  • Ubuntu 14.04 LTS

Security Server

  • Ubuntu 14.04 LTS
  • RHEL 7
Official documentationhttps://github.com/nordic-institute/X-Road/tree/master/doc
Source codehttps://github.com/nordic-institute/X-Road/tree/master
Software licenseMIT
On this page:

Changes in This Release

Summary

  • This patch release includes a security fix for management services.
  • The patch needs to be applied on the Central Server.
  • Security Servers are not affected and therefore, they don't need to be patched.

Completed Issues

Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.

Issue IDTypeSummary
XRDDEV-351Fix

Fix a vulnerability in management services that enables unauthenticated server to submit management requests on other members’ behalf.

About the vulnerability

  • The management services on the Central Server are exposed through port 4001.
  • The port needs to be open so that Security Servers can send the authentication certificate registration requests (authCertReg) to the Central Server.
  • It is assumed that all other management requests must go through the management Security Server.
    • The management Security Server is responsible for authentication.
  • However, the other management services - Security Server client registration request (clientReg), Security Server client deletion request (clientDeletion), Security Server authentication certificate deletion request (authCertDeletion) - can also be reached directly via port 4001 without authentication.
    • All Security Servers at least need to have access to port 4001 on the Central Server.
  • If one has access to port 4001 on Central Server:
    • It is possible to send an unauthenticated clientDeletion request, and the Central Server will delete the client.
    • It is possible to send an unauthenticated clientReg request, and the Central Server will create a client registration request.
    • It is possible to send an unauthenticated authCertDeletion request, and the Central Server will delete the authentication certificate. The authentication certificate to be deleted is sent as a request parameter and therefore, the sender of the request must have access to the certificate to be deleted.

In addition, it’s possible to launch the generation of the global configuration remotely by accessing "https://<CENTRAL_SERVER_HOST>:4001/managementservice/gen_conf". The content of global configuration cannot be modified, but that the generation creates at least some CPU load, and might cause a DoS by filling up the disk.

Fix

The vulnerability has been fixed splitting management services in two:

  • Authentication certificate registration service (authCertReg)
    • Runs on port 4001
  • Security Server client registration service (clientReg), Security Server client deletion service (clientDeletion), authentication certificate deletion service (authCertDeletion)
    • Run on port 4002

Before the fix, all management services were running on port 4001. After the fix, authCertReg runs on port 4001 and other management services on port 4002. In this way access to authentication certificate registration service and other management services can be controlled separately by a firewall as they run on different ports. Access to port 4002 must be allowed from management Security Server(s) only.

In addition, it is not possible to launch the generation of the global configuration through port 4001 anymore. The generation of the global configuration can be launched from localhost (Central Server) or through port 4400.

Changes to configuration

After the fix has been applied, the X-Road operator must update the management services URL on management Security Server(s). The new management services URL depends on whether management services are accessed using HTTP or HTTPS.

Current URLNew URL
http://<CENTRAL_SERVER_HOST>:4400/managementservice/http://<CENTRAL_SERVER_HOST>:4400/managementservice/manage/
https://<CENTRAL_SERVER_HOST>:4001/managementservice/https://<CENTRAL_SERVER_HOST>:4002/managementservice/manage/

Access to ports 4002 and 4400 must be allowed from management Security Server(s) only.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

DependencyOld VersionNew VersionNotes
-


Other Notes

Package Repositories

RepositoryURL
Trusty
deb https://artifactory.niis.org/xroad-release-deb trusty-<version> main
RPM
https://artifactory.niis.org/xroad-release-rpm/rhel/7/<version>

Repository signing key can be downloaded from: https://artifactory.niis.org/api/gpg/key/public

Packages

Trusty

Package

SHA256 checksum

xroad-addon-hwtokens_6.19.1-1_all.deb

a897b61b7fbc6d1edeae8dd9730dfcf33d4729d1d6ce1d97d812ef894a1c40fa

xroad-addon-messagelog_6.19.1-1_all.deb

1a07606c611fd464e9cdb3294e12db3c894b1e1173276b5ef71f94d8d0147503

xroad-addon-metaservices_6.19.1-1_all.deb

a13291e0e939a1f3271de828c0a2aa11e6a83a965976a0760d7c470ec22eab2d

xroad-addon-opmonitoring_6.19.1-1_all.deb

6b248985edcb16b53f52b72f42f61ce270056159cb420bb71fab149b0806b82a

xroad-addon-proxymonitor_6.19.1-1_all.deb

fca0cd6b367142449e017f60f0d03d07b7da705485046bb1aec31a4048b25130

xroad-addon-wsdlvalidator_6.19.1-1_all.deb

ecf3d87127d5f8b9ff371d07c60c663253104873ab34b69b49fff34cf601c551

xroad-autologin_6.19.1-1_all.deb

079181d0fc03831180b9a8893ffae14f9c5ce9b3bccd14ccb256bac9b5d19a51

xroad-base_6.19.1-1_amd64.deb

1e8595ae5d17389575e5a1e63a380a41155df3e517d651826d7afc11e099b807

xroad-center-clusterhelper_6.19.1-1_all.deb

31295d6f6b0d8ae6d2f9caae5c2290d7200df6a639ebc0439cdfe381d3af7b7f

xroad-center_6.19.1-1_all.deb

52697c3adcdcb0d2077691c60384c51757d0007386a08616cfbe1d5d7e064744

xroad-centralserver-monitoring_6.19.1-1_all.deb

431d956f44af6d59a4ca1e9d23c20976e734ff875903d330e091da1a2e660f19

xroad-common_6.19.1-1_amd64.deb

073c4a08394042150ef63852739a8547f496b4ada6cf56fc5fed12910a7949b9

xroad-centralserver_6.19.1-1_all.deb

1cc6875f443207f06e0c857f6b09250b678aba0b1b2f5196a0e78c790e2ef6a9

xroad-confclient_6.19.1-1_amd64.deb

3be32594772bbd4d1654909fa662e7985813562c4d23b6a5fa93cc10da7228ea

xroad-confproxy_6.19.1-1_all.deb

767e97fa1b4630a7831c25314b6e805577aa33016215cbb035dcaa26d96da7d9

xroad-jetty9_6.19.1-1_all.deb

c8d5a4dd2e7b4ce4178459a150bc3fb1c4cb955cc4f997ac3e56d61af4e3a8d8

xroad-monitor_6.19.1-1_all.deb

fa4bbaf9352731db9e21ea1c52750f68f502f0c520f546ebbb9e52c2e43261f9

xroad-nginx_6.19.1-1_amd64.deb

2495c2aa0c6f2a4ac081c9e378ad59fcd87a5fe71497701732868338d0eba707

xroad-opmonitor_6.19.1-1_all.deb

714f3d2b93ac081daf1fd821139160fc6a45836f358d10ca17c41f9e123ebb68

xroad-proxy_6.19.1-1_all.deb

cd7b6ba9db366aa9d78e2e93bf669f9ccf5e9211ba9fc2f2614b5f15e42c8d62

xroad-securityserver-ee_6.19.1-1_all.deb

40c686afb76068533af7f5bf4d614f6ccfd9e48092733fdf2c0ec327aef3c292

xroad-securityserver_6.19.1-1_all.deb

4f78ce9611e2cc6d1ec5b3c694b99544f392b6479af453fb8be1d6e4c0050c5f

xroad-securityserver-fi_6.19.1-1_all.deb

c3c7193455d9bfa30130024ae0e86eabbf593c9bd724c39fc479b829aedd2c7d

xroad-signer_6.19.1-1_amd64.deb

b2cc5254eb7d1030de85708f0ba51b3ef2bf3e927455a3990388113d0a8f5957


RPM

Package

SHA256 checksum

xroad-addon-messagelog-6.19.1-1.el7.x86_64.rpm

c012ff63c32de51cfe0199e5d1ad93ba51e5a6e742ad5a8872c2191431a75122

xroad-addon-metaservices-6.19.1-1.el7.x86_64.rpm

8e759a73219d1983c66679648265a73d7014c6c04508a0f6fc562d17986bfc9c

xroad-addon-opmonitoring-6.19.1-1.el7.x86_64.rpm

41a4b57a1ededf9e9361269a4c36ac8db2bbf10e4a7db8df34207370c0f49acd

xroad-addon-proxymonitor-6.19.1-1.el7.x86_64.rpm

04a34e3ae2f679b5c26673dcee216f3ededc624bb0dbe7c72feaa5152daad2df

xroad-addon-wsdlvalidator-6.19.1-1.el7.x86_64.rpm

4d73fa1ac6fe9d33eae534b4308cdd4cd74467903262f49d27294a9b8016bcd4

xroad-autologin-6.19.1-1.el7.noarch.rpm

e8df45660d6615bc85c3ea0b1cfe8d6552ac7ff189eb6c85f8bf518a966d8199

xroad-base-6.19.1-1.el7.x86_64.rpm

a2d9e00864e5924905f352c8574e24f015fb24f8afff27f0a4f3f200b1101a8b

xroad-common-6.19.1-1.el7.x86_64.rpm

33d787cf3f2110dda20d894debc6aff152be838190f4600cd5e37899da4fd06b

xroad-confclient-6.19.1-1.el7.x86_64.rpm

f57ee0aed52c66c7aea2ea4fb78e33f739afa231c291395176e945aa3e9ed41a

xroad-jetty9-6.19.1-1.el7.x86_64.rpm

6bbad86506ceb37465bf0a3802b5811e916abfcb40285f11525f07b964d2a5ef

xroad-monitor-6.19.1-1.el7.x86_64.rpm

c17c3a5be28b075fb098c3d3ded1ae41d836e50bffe0701219e021522c2bc66b

xroad-nginx-6.19.1-1.el7.x86_64.rpm

de1f3b0624749dc01cba5363f0e74387b7b88f9e7b6d0216cac122da7170bc05

xroad-opmonitor-6.19.1-1.el7.x86_64.rpm

03dbea59a4baf2b9fc876a2f0849b5939f869943e8db23dcce36591f20133d45

xroad-proxy-6.19.1-1.el7.x86_64.rpm

5bb8f2eb5aaa155f35fb67fb4b4c96726bd98920dcd1f1425bad0059e7a25c40

xroad-securityserver-6.19.1-1.el7.noarch.rpm

2d32e168d82ad8ee243edb81dae582015f27d9ce03e6304ab3610ccee773fbf9

xroad-securityserver-fi-6.19.1-1.el7.noarch.rpm

efda64091cfccd6d5e84726a5c7daeb7e65dec0120effe34b928171e18473459

xroad-signer-6.19.1-1.el7.x86_64.rpm

443f152a2bfc0ddb93db9684fe0d5931d2b8c262725e9cb242195ae8d55f68b5