X-Road v6.18.1 Release Notes

Release Info

Version number6.18.1
Release date07.02.2019
Supported versions
  • 6.18.X
  • 6.19.X
  • 6.20.X
Supported platforms

Central Server

  • Ubuntu 14.04 LTS

Configuration Proxy

  • Ubuntu 14.04 LTS

Security Server

  • Ubuntu 14.04 LTS
  • RHEL 7
Official documentationhttps://github.com/nordic-institute/X-Road/tree/master/doc
Source codehttps://github.com/nordic-institute/X-Road/tree/master
Software licenseMIT
On this page:

Changes in This Release

Summary

  • This patch release includes a security fix for management services.
  • The patch needs to be applied on the Central Server.
  • Security Servers are not affected and therefore, they don't need to be patched.

Completed Issues

Access to the X-Road Backlog and issue details requires signing up for an account. Sign up now and get access to the backlog and issue details immediately.

Issue IDTypeSummary
XRDDEV-351Fix

Fix a vulnerability in management services that enables unauthenticated server to submit management requests on other members’ behalf.

About the vulnerability

  • The management services on the Central Server are exposed through port 4001.
  • The port needs to be open so that Security Servers can send the authentication certificate registration requests (authCertReg) to the Central Server.
  • It is assumed that all other management requests must go through the management Security Server.
    • The management Security Server is responsible for authentication.
  • However, the other management services - Security Server client registration request (clientReg), Security Server client deletion request (clientDeletion), Security Server authentication certificate deletion request (authCertDeletion) - can also be reached directly via port 4001 without authentication.
    • All Security Servers at least need to have access to port 4001 on the Central Server.
  • If one has access to port 4001 on Central Server:
    • It is possible to send an unauthenticated clientDeletion request, and the Central Server will delete the client.
    • It is possible to send an unauthenticated clientReg request, and the Central Server will create a client registration request.
    • It is possible to send an unauthenticated authCertDeletion request, and the Central Server will delete the authentication certificate. The authentication certificate to be deleted is sent as a request parameter and therefore, the sender of the request must have access to the certificate to be deleted.

In addition, it’s possible to launch the generation of the global configuration remotely by accessing "https://<CENTRAL_SERVER_HOST>:4001/managementservice/gen_conf". The content of global configuration cannot be modified, but that the generation creates at least some CPU load, and might cause a DoS by filling up the disk.

Fix

The vulnerability has been fixed splitting management services in two:

  • Authentication certificate registration service (authCertReg)
    • Runs on port 4001
  • Security Server client registration service (clientReg), Security Server client deletion service (clientDeletion), authentication certificate deletion service (authCertDeletion)
    • Run on port 4002

Before the fix, all management services were running on port 4001. After the fix, authCertReg runs on port 4001 and other management services on port 4002. In this way access to authentication certificate registration service and other management services can be controlled separately by a firewall as they run on different ports. Access to port 4002 must be allowed from management Security Server(s) only.

In addition, it is not possible to launch the generation of the global configuration through port 4001 anymore. The generation of the global configuration can be launched from localhost (Central Server) or through port 4400.

Changes to configuration

After the fix has been applied, the X-Road operator must update the management services URL on management Security Server(s). The new management services URL depends on whether management services are accessed using HTTP or HTTPS.

Old URLNew URL
http://<CENTRAL_SERVER_HOST>:4400/managementservice/http://<CENTRAL_SERVER_HOST>:4400/managementservice/manage/
https://<CENTRAL_SERVER_HOST>:4001/managementservice/https://<CENTRAL_SERVER_HOST>:4002/managementservice/manage/

Access to ports 4002 and 4400 must be allowed from management Security Server(s) only.

Issue types: fix (bug fix or technical debt), improvement (improvement to an existing feature), new (a new feature).

New/Updated Dependencies

DependencyOld VersionNew VersionNotes
-


Other Notes

Package Repositories

RepositoryURL
Trusty
deb https://artifactory.niis.org/xroad-release-deb trusty-<version> main
RPM
https://artifactory.niis.org/xroad-release-rpm/rhel/7/<version>

Repository signing key can be downloaded from: https://artifactory.niis.org/api/gpg/key/public

Packages

Trusty

Package

SHA256 checksum

xroad-addon-hwtokens_6.18.1-1_all.deb

af2aa1db9950bb62f64d164846aece36c231b931e201a3752c4c82108c3d5971

xroad-addon-messagelog_6.18.1-1_all.deb

2aa434b2b1cc354451ec998981d570b7908c4d8f1b07de8711f8da6959b47a03

xroad-addon-metaservices_6.18.1-1_all.deb

3d39dd2033127a942c5d082e0769734378aa6c2fa7b2d39132c59870c13200b4

xroad-addon-opmonitoring_6.18.1-1_all.deb

19e070fdf0870a3299efc84cfb71fded641c348aa30dcb5676ee026639728c86

xroad-addon-proxymonitor_6.18.1-1_all.deb

f44cad3b53de44a74776c7713599cd937777266d92a073219bd832dc2562ef9f

xroad-autologin_6.18.1-1_all.deb

5edfb2d9116b19310d77d7342ebb126345631acdebc868e6e3070db2a641d975

xroad-addon-wsdlvalidator_6.18.1-1_all.deb

03b5519cb44ecd612db3e02fbae268d1d8255dd298e0ee56b594440968ea3ee8

xroad-base_6.18.1-1_amd64.deb

38f3781e49b2920ed247434c52bc40b9f4cdffa7c2b6cc2022cdcf698ccb7165

xroad-center-clusterhelper_6.18.1-1_all.deb

22038ca1bebd70f63753b74da961f2a9eeb24c570980d15ac61ce668bba29ba6

xroad-center_6.18.1-1_all.deb

1c31fe49ad93446197b2a4a11ae4bec109f80218763381d9452c690c084058ca

xroad-centralserver-monitoring_6.18.1-1_all.deb

bb82cefb3814b009fe60dfc36ccdcd05e11487607830071460eceadfebc06248

xroad-common_6.18.1-1_amd64.deb

39525d1bda8aaba8f9d73f3d652e03a715911ce872c1e27308844f406611f9bc

xroad-centralserver_6.18.1-1_all.deb

195b56019f657cdbfe3812d3c12b346b6496db83a252a559676ea8b9f3b3ac2f

xroad-confclient_6.18.1-1_amd64.deb

a223bd7ccc945192909a7a4f0f43cb56e6ca97b4410a6b217d37b825b82429d8

xroad-confproxy_6.18.1-1_all.deb

8160904d3a89a4d6880f79193ecd2d2a2b6bc94c0ceab3c030d930549130f2f5

xroad-jetty9_6.18.1-1_all.deb

aece7ac31c02758e6dec76ed904340b0f15f3be6b2043e600130ccddd4ae2869

xroad-monitor_6.18.1-1_all.deb

693c97ab371afc40e9eb02b01daea74e993bfe8761344e18113003d2e08b77c4

xroad-nginx_6.18.1-1_amd64.deb

ef63a4fe33bf90daa0da943eb1db921a559b0bbbafd665bf3f9e2f04948f649a

xroad-opmonitor_6.18.1-1_all.deb

08ce5d7f479a75a83b6510b46ae1874ffcbedeb19e730ab5669d74117fe33244

xroad-proxy_6.18.1-1_all.deb

41aea470b78eb28d248551a2f266a4eb603d87e95329e50e4615a6690a83a350

xroad-securityserver-ee_6.18.1-1_all.deb

55688ccd520a7be6acd91b52e7b0e3a3690a3057b04e90129821796b5cdfa3ec

xroad-securityserver-fi_6.18.1-1_all.deb

881c7110ab724e0a7926679e124193efb37ffe9a44d268ba64051841915b1e96

xroad-securityserver_6.18.1-1_all.deb

4cce785ac07da3fad36f0ad16fe3b6f767006a4b8a01c3e5b40295dc77763bbf

xroad-signer_6.18.1-1_amd64.deb

9f6a888a26201f0a5f5fc875705e11295c1e1a7275f2245c5b220d3dc39bdc36


RPM

Package

SHA256 checksum

xroad-addon-messagelog-6.18.1-1.el7.x86_64.rpm

e706c2958dd57481e81f99c2a20a171743e56526029de8eed5529107a6eaa6f2

xroad-addon-metaservices-6.18.1-1.el7.x86_64.rpm

4d97e25408c2b49c0f88ecf92fabae82aaa0ac02f9d50e5088266c28fefcbec0

xroad-addon-opmonitoring-6.18.1-1.el7.x86_64.rpm

48790fb2db91f1f0a8e5cca04a53f0e9e8d9832febdc559083eb244680364d51

xroad-addon-proxymonitor-6.18.1-1.el7.x86_64.rpm

e72aa9083d3578d87e7fa2fdf68930634fde4fab87b347948fcc4ff19ed5e545

xroad-addon-wsdlvalidator-6.18.1-1.el7.x86_64.rpm

4f09c473d8ff8d071e53c123a5110a0ae4da0995bad14e0752794963038b01df

xroad-autologin-6.18.1-1.el7.noarch.rpm

1af4fae51f08533b41bc6af71bfa79463e21a790cc55cffb3a6728387aa5e2e2

xroad-base-6.18.1-1.el7.x86_64.rpm

6057fa0e456aa17e6259392c90224ae9a109e780c1221713ab453b71a2e0d1f2

xroad-common-6.18.1-1.el7.x86_64.rpm

4b1c2dfb84f4ddc9321c0cba4c901340ab9435a6587f75d64cdb628a41aa2a2b

xroad-confclient-6.18.1-1.el7.x86_64.rpm

f1b24b483d35e96d28212ce86a8dff5f5890985b9986bf518670be51ce8d0270

xroad-jetty9-6.18.1-1.el7.x86_64.rpm

1f54180dd6ee2d4a2c7ff6017694ed473277e9979816345db778a596af83e2a7

xroad-monitor-6.18.1-1.el7.x86_64.rpm

7061b2e1efc1df49818ee6cf70e68cd2af5f3981e596208a381e4573a5a178a0

xroad-nginx-6.18.1-1.el7.x86_64.rpm

8989e6ad139aa135eae461761255aa51762cbaf993790762d0f32ffe934c117a

xroad-opmonitor-6.18.1-1.el7.x86_64.rpm

80c529d5e45454436b4ce157927e61dc9e0d2ef12825ba172df9cfa59847ae7b

xroad-proxy-6.18.1-1.el7.x86_64.rpm

6e0aa8a3bb81de6eeb93ad9c00499685b0f38b1c25b19f0e14c91e8f9344634b

xroad-securityserver-6.18.1-1.el7.noarch.rpm

0e41ced43d0e5ad12a204932e7c11908ca0a1f547cf0120ccb29039c678dfc37

xroad-securityserver-fi-6.18.1-1.el7.noarch.rpm

a60f10babfc7770b37eb25741bb8aa27337bd5b9fc98649f0ad99bd8a068d610

xroad-signer-6.18.1-1.el7.x86_64.rpm

c4c0f836e3d4d0cdff0b2d85157e879a824a352f9437526f06674714daf3bb1e