teleport

Description

This release of Teleport contains multiple security fixes discovered as a part of a routine security audit.

Insufficient authorization check in self-hosted MySQL database access

Teleport MySQL proxy engine did not handle internal MySQL protocol command that allows to reauthenticate the active connection.

This could allow an attacker with a valid client certificate for a particular database user to reauthenticate as a different MySQL user created using require x509 clause.

Authorization bypass in application access

When proxying a websocket connection, Teleport did not check for a successful connection upgrade response from the target application.

In scenarios where Teleport proxy is located behind a load balancer, this could result in the load balancer reusing the cached authenticated connection for future unauthenticated requests.

Missing password confirmation on password change

Teleport did not check the old password if the cluster had "optional" second factor and user had no registered MFA devices.

This could allow an attacker with access to user's authenticated browser session to change their password.

Actions

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure:

• For all Teleport users, we recommend upgrading auth servers.
• For Database Access users we recommend upgrading database agents that handle connections to self-hosted MySQL servers.
• For Application Access users we recommend upgrading application agents.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

For Teleport Enterprise customers, 6.2.22 is identical to 6.2.20.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains multiple improvements, bug fixes and a security fix.

Description

• Mitigated CVE-2021-43565 by updating golang.org/x/crypto. #9203
• Desktop Access: Windows Desktop discovery can now be customized by specifying a base DN and LDAP filters to search. #9201
• Added Azure PostgreSQL and MySQL managed identity authentication support to database access. #9185
• Added support for RBAC "where" condition for active sessions. #9076
• Added hint to tsh that MFA is not supported on Windows. #9198
• Fixed an issue with long redirect URLs causing tsh login to fail. #8980
• Fixed Okta SAML authentication issues when email address contains + sign. #8396
• Added application metadata to application access audit events. #9056
• Fixed an issue with malformed MySQL client handshake messages crashing proxy. #9162
• Added support for --cert-file, --key-file and --public-addr to teleport configure command. #9049
• Made sure reverse tunnel agents reconnect to the proxy after tunnel address change. #9043
• Made Teleport startup more resilient to the presence of invalid roles in the backend. #9105

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a security fix.

Description

• Mitigated CVE-2021-43565 by updating golang.org/x/crypto. #9204

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a security fix.

Description

• Mitigated CVE-2021-43565 by updating golang.org/x/crypto. #9202

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a fix.

Description

• Fixed issue in Database Access that could cause MySQL listeners to crash. #9163

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a fix.

Description

• Fixed an issue that could cause search engine crawlers to break signup and login pages.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Teleport 8.0 is a major release of Teleport that contains new features, improvements, and bug fixes.

New Features

Windows Desktop Access Preview

Teleport 8.0 includes a preview of the Windows Desktop Access feature, allowing users passwordless login to Windows Desktops via any modern web browser.

Teleport users can connect to Active Directory enrolled Windows hosts running Windows 10, Windows Server 2012 R2 and newer Windows versions.

To try this feature yourself, check out our Getting Started Guide.

Review the Desktop Access design in:

• RFD #33
• RFD #34
• RFD #35
• RFD #37

TLS Routing

In TLS routing mode all client connections are wrapped in TLS and multiplexed on a single Teleport proxy port.

TLS routing can be enabled by including the following auth service configuration:

auth_service:
  proxy_listener_mode: multiplex
  ...

and setting proxy configuration version to v2 to prevent legacy listeners from being created:

version: v2
proxy_service:
  ...

AWS CLI

Teleport application access extends AWS console support to CLI . Users are able to log into their AWS console using tsh app login and use tsh aws commands to interact with AWS APIs.

See more info in the documentation.

Application and Database Dynamic Registration

With dynamic registration users are able to manage applications and databases without needing to update static YAML configuration or restart application or database agents.

See dynamic registration guides for apps
and databases.

RDS Automatic Discovery

With RDS auto discovery Teleport database agents can automatically discover RDS instances and Aurora clusters in an AWS account.

See updated RDS guide for more information.

WebAuthn

WebAuthn support enables Teleport users to use modern second factor options, including Apple FaceID and TouchID.

In addition, the Teleport Web UI includes new second factor management tools, enabling users to configure and update their second factor devices via their web browser.

Lastly, our UI becomes more secure by requiring an additional second factor confirmation for certain privileged actions (editing roles for second factor confirmation, for example).

Improvements

• Added support for CockroachDB to Database Access. #8505
• Reduced network utilization on large clusters during login. #8471
• Added metrics and added the ability for tctl top to show network utilization for resource propagation. #8338 #8603 #8491
• Added support for account recovery and cancellation. #6769
• Added per-session MFA support to Database Access. #8270
• Added support for profile specific kubeconfig. #7840

Fixes

• Fixed issues with web applications that utilized EventSource with Application Access. #8359 contributed by @stefansedich
• Fixed issue were interactive sessions would always return exit code 0. #8081
• Fixed issue where JWT signer was omitted from bootstrap logic. #8119

Breaking Changes

CentOS 6

CentOS 6 support will be deprecated in Teleport 8 and removed in Teleport 9.

Teleport 8 will continue to receive security patches for about 9 months after which it will be EOL. Users are encouraged to upgrade to CentOS 7 in that time frame.

Updated dependencies

New run time dependencies have been added to Teleport 8 due to the inclusion of Rust in the build chain. Teleport 8 requires libgcc_s.so and libm.so be installed on systems running Teleport.

Users of distroless container images are encouraged to use the gcr.io/distroless/cc-debian11 image to run Teleport.

FROM gcr.io/distroless/cc-debian11

Alpine users are recommended to install the libgcc package in addition to any glibc compatibility layer they have already been using.

apk --update --no-cache add libgcc

Database Access Certificates

With the GODEBUG=x509ignoreCN=0 flag removed in Go 1.17, Database Access users will no longer be able to connect to databases that include their hostname in the CommonName field of the presented certificate. Users are recommended to update their database certificates to include hostname in the Subject Alternative Name extension instead.

Subscribe to Github issue #7636 which will add ability to control level of TLS verification as a workaround.

Role Changes

New clusters will no longer have the default admin role, it has been replaced with 3 smaller scoped roles: access, auditor, and editor.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of teleport contains performance improvements, fixes, and a feature.

Description

• Improved cache and label-based operations performance. #8670
• Added support for custom routing_strategy configuration. #8567
• Fixed an issue with "Simplified EC2 Join" for some regions. #8704
• Fixed a regression in web terminal. #8797

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of teleport contains a bug fix.

Description

• Fix type error in config validation when using routing_strategy config option.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of teleport contains performance improvements and a feature.

Description

• Improved cache and label-based operations performance. #8670

• Added support for custom routing_strategy configuration. #8567

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a feature and a fix.

Description

• Fixed issue that could cause kubectl exec to fail. #8601
• Added email notification plugin, see Teleport Plugins 7.3.2 for more details.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains a feature and a fix.

Description

• Added ability for nodes to join cluster without needing to share secret tokens on AWS. See Node Joining in AWS guide for more details. #8250 #7292
• Fixed an issue that could cause intermittent connectivity issues for Kubernetes Access. #8362

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains features and fixes.

Description

• Added network and resource utilization information to tctl top. #8338
• Fixed issue that prevented OIDC integration with Ping. #8308
• Added ability for agents to connect over HTTP with --insecure flag. #7835
• Updated CLI SSO login flow to use Javascript redirect instead of a 302 redirect to support users with high number of claims. #8293

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.