nacos

an easy-to-use dynamic service discovery, configuration and service management platform for building cloud native applications.

APACHE-2.0 License

Stars
30.1K
Committers
409
View Code on GitHub Visit Website
Ecosystems: Kubernetes
nacos - 2.4.2 (Sep 5th, 2024) Latest Release

Published by KomachiSion about 2 months ago

This version primarily fixes a potential deadlock issue during the startup process related to the Raft protocol initialization in version 2.4.1 (#12526). It also rolls back the changes made in version 2.4.1 that lowered the hessian version, which caused startup problems on JDK 17+ versions due to conflicts with hessian dependencies. Additionally, the logic for checking ServerStatus has been optimized to prevent issues from affecting the availability of non-Raft-dependent functionalities due to Raft election failures.

Furthermore, this version includes several usability enhancements and addresses some other bugs.

Please see the details of the changes below:

Change details

Enhancement&Refactor

[#12483] Configuration list adds configuration format.
[#12547] Nacos client supports desensitise in logging.
[#12555] SwitchManager support http、tcp、mysql HealthParams and pushCSharpVersion update.
[#12569] Enhance is exist table logic to support more database.
[#12573] Enhance Server status check to avoid affect core features.
[#12583] Enhance protocolManager lock logic.
[#12608] Enhance configs diff, support to collapse identical rows.

BugFix

[#12093] Fix reset password success but no message.
[#12498][#12503] Revert "Resolve the Hessian package conflict issue. (#12449)".
[#12509] Fix nacos-client updating accessToken bug.
[#12526] Fix possible dead lock problem during start up.
[#12563] Fix paramchecker invalid bug.
[#12581] Fix namespace quota and parameter optimize.
[#12604] Fix get config labels from env parameters.
[#12610] Fix wrong error code for http open api request.

Dependency

[#12568] Upgrade mysql-connector-j from 8.0.33 to 8.2.0.
[#12387] Upgrade logback adapter to 1.1.3
[#12586][#12596] Upgrade spring version to 5.3.39.
[#12596] Upgrade tomcat to 9.0.93.

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/2.4.1...2.4.2

nacos - 2.4.1 (Aug 15th, 2024)

Published by KomachiSion 2 months ago

该版本主要针对部分Jraft请求处理时,会造成任意文件读写的问题进行修复。

该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。

另外该版本也在2.4.0的基础上针对derby ops接口做了进一步优化,默认限制derby数据库可执行的SQL范围,降低用户在打开derby ops接口后的风险。

变更详情请查看下文:

The version mainly fixes the issue of arbitrary file read and write that can occur during the processing of some Jraft requests.

The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.

Additionally, this version has further optimized the Derby Ops API by restricting the range of executable SQL commands on the Derby database by default, thereby reducing the risk to users when accessing the Derby Ops API.

Please see the details of the changes below:

Change details

Feature

Enhancement&Refactor

[#11887] Add some tips when token.secret.key is not base64.
[#12311] Enhance console to support namespace list with selectors.
[#12405] LDAP plugin support custom admin user password for default.
[#12446] Enhance hint when got Mac Instance with error in default auth plugin.
[#12466] Enhance to configurable service metadata and instance metadata length.
[#12477] Enhance default auth plugin to support auth_basic when logout.
[#12489] Remove KvStorage and ConsistencyService.
[#12490] Enhance derby mode to support limit SQL Type.

BugFix

[#12301] Fix headlth check for persistent instance for different namespace but groupName and serviceName are same.
[#12374] Fix memory calculate error for metrics api.
[#12397] Fix the bug of parsing empty connection control rule problem.
[#12410] Fix no hint when beta config content is not equal with formal content.

Dependency

[#12342] Resolve the Hessian package conflict.

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/2.4.0.1...2.4.1

nacos - 1.4.8 (Aug 15th, 2024)

Published by KomachiSion 2 months ago

What's Changed

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/1.4.7...1.4.8

nacos - 2.4.0.1 (July 22th, 2024)

Published by KomachiSion 3 months ago

This version is fast fix for two block issues #12387 and #12395 for 2.4.0, which might cause password can't be changed and can't create new users when not using MySQL database with new table structures.

What's Changed

Full Changelog: https://github.com/alibaba/nacos/compare/2.4.0...2.4.0.1

nacos - 2.4.0 (July 19th, 2024)

Published by KomachiSion 3 months ago

This version is an important version which support many new features.

The most mainly feature is Nacos support maintainer to initialize the admin user nacos password instead of using default password to improve the default security for deploy nacos clusters.

One more thing is default disabled derby ops API to prevent false alarms regarding corresponding risks for users without authentication enabled when deploying in standalone mode. If maintainers want use this API to maintain and query data in derby, maintainers can use nacos.config.derby.ops.enabled=true to open this API.

And other mainly features are support TLS Grpc communication between Nacos cluster nodes as an optional feature to improve Nacos security, which means nacos not only support TLS communication between client and server; What's more, Nacos start to support user extend Selector before callback Subscriber for naming module, not only can select instance of services by healthy and clusters. And Nacos client support callback service diffs by new event to reduce Subscriber cache and compare logics.

Third mainly features are support some configs usages in Nacos console and support more enhancement usage for plugins, such as support add all metadata to prometheus sd protocol and support aliyun ram v4 signature.

In addition to substantial feature updates, this version also fixes some bugs from previous versions and upgrades certain dependencies with security vulnerabilities.

Detail see:

Feature

[#10374] Support naming custom selectors and support service diff events.
[#11456] Support TLS Grpc communication between Nacos cluster nodes.
[#11847] Nacos console support publish config with cas.
[#11943] Record users for import configs.
[#11957] Remove default password for user nacos.
[#12130] Add metadata as labels in prometheus http sd.
[#12162] Support aliyun ram v4 signature method.

Enhancement&Refactor

[#11956] Refactor nacos client logging module, use SPI load current logger adapter.
[#12013] Enhance to fast config Nacos memory setting in startup.sh by environment CUSTOM_NACOS_MEMORY.
[#12072] Support does not impose any limit when totalCountLimit is less than 0.
[#12166] Enhance nacos client init properties logger.
[#12177] Update console header link to new nacos.io.
[#12178] Add total record count display in pagination.
[#12185] Use nacos properties in CacheDirUtil.
[#12221] Remove the accessToken from the URL.
[#12235] Enhance logging format in the ResponseExceptionHandler.
[#12246] Internationalize the display of total counts in the configuration list and service list.
[#12321] Enhance log for unexpected exception from NetworkInterface.ifUp.
[#12355] Record the cost of ConfigDump in Prometheus.
[#12372] Disable derby ops api default.
[#12382] Support ram info switch.

BugFix

[#10639] Fix the encrypted_data_key is text type so that old version can't upgrade directly.
[#11902] Fix leak of request and response for java native runtime for nacos-client.
[#11926] Fix Nacos can't triggle self protection when disk full in some OS.
[#11951] Fix the problem that the serviceName and groupName are not resolved correctly when deleting an empty service instance.
[#11967] Fix Config can't publish and listen when dataId contains some special words in Window OS.
[#11968] Fix Multiple config change plugin implementation configuration conflicts problem.
[#12022] Fix nacos datasource plugin ClassCastException problem.
[#12046] Fix cipher-aes config encrypt plugin not effect when publish config again.
[#12060] Fix too large ttl when auth disabled.
[#12146] Fix the operation type does not display when rolling back a configuration with a delete operation type.
[#12168] Fix the labels of the query conditions on the Permission Control - Role Management page are still displayed in Chinese after switching the system language to English.
[#12180] Fix the operator is not recorded during clone and import operations.
[#12196] Fix prometheus http sd invalid label names.
[#12207] Fix disk failover datasource not keep status.
[#12197] Add an id primary key column to both the roles and permissions tables.
[#12219] Fix ServerListManager in nacos-client fails to parse the endpoint in the config.
[#12253] Add endpoint cluster name for config & naming server list manager.
[#12265] Fix nacos client dependencies tree without grpc package.
[#12323] Fix nacos client logback configuration will override packagingData problem.
[#12333] Fix auth Plugin resource parser can't parser v2 config openAPI namespaceId.

Dependency

[#11904] Bump Spring Security to 5.7.12.
[#11975] Remove unused dependency javatuple.
[#11980] Bump spring framework to 5.3.34.
[#12135] Upgrade module naocs-console from junit4 to junit5.
[#12369] Upgrade grpc to 1.64.2.

New Contributors From 2.4.0-BETA.

Full Changelog: https://github.com/alibaba/nacos/compare/2.4.0-BETA...2.4.0

nacos - 2.3.3 (Jun 25th, 2024) (client only)

Published by KomachiSion 4 months ago

This version mainly fix one client block bug and support java agent parsing ram info switches.

The client block bug was introduced in client version 2.3.0, as detailed in ISSUE #10792. The intended change was to unify the address server addressing logic for both the registry and the configuration center and to support custom modification of the address server's path.

However, in a Spring Cloud environment, the clusterName parameter for discovery has a specific business significance: it denotes the clusterName attribute of the registered service instance. When users configure the clusterName attribute for service instances, it simultaneously alters the path used for addressing the address server.

This bug was primarily caused by the previous ambiguity in the Nacos Client's parameter naming definitions.

To resolve this issue, starting from version 2.3.3, parameters used for controlling the address server will be prefixed with "Endpoint". Specifically:

The clusterName parameter for endpoint will be renamed to endpointClusterName.
The clusterName attribute used by the registry for service instances will remain unchanged.

Previous Configuration:

spring.cloud.nacos.discovery.clusterName=my-service-cluster
spring.cloud.nacos.config.clusterName=my-service-cluster

Updated Configuration:

spring.cloud.nacos.discovery.endpointClusterName=my-endpoint-cluster
spring.cloud.nacos.discovery.clusterName=my-service-cluster
spring.cloud.nacos.config.endpointClusterName=my-endpoint-cluster
nacos - 2.4.0-BETA (Jun 6th, 2024)

Published by KomachiSion 5 months ago

This version is an important version which support many new features.

The most mainly feature is Nacos support maintainer to initialize the admin user nacos password instead of using default password to improve the default security for deploy nacos clusters.

And other mainly features are support TLS Grpc communication between Nacos cluster nodes as an optional feature to improve Nacos security, which means nacos not only support TLS communication between client and server; What's more, Nacos start to support user extend Selector before callback Subscriber for naming module, not only can select instance of services by healthy and clusters. And Nacos client support callback service diffs by new event to reduce Subscriber cache and compare logics.

Third mainly features are support some configs usages in Nacos console and support more enhancement usage for plugins, such as support add all metadata to prometheus sd protocol and support aliyun ram v4 signature.

In addition to substantial feature updates, this version also fixes some bugs from previous versions and upgrades certain dependencies with security vulnerabilities.

Detail see:

Feature

[#10374] Support naming custom selectors and support service diff events.
[#11456] Support TLS Grpc communication between Nacos cluster nodes.
[#11847] Nacos console support publish config with cas.
[#11943] Record users for import configs.
[#11957] Remove default password for user nacos.
[#12130] Add metadata as labels in prometheus http sd.
[#12162] Support aliyun ram v4 signature method.

Enhancement&Refactor

[#11956] Refactor nacos client logging module, use SPI load current logger adapter.
[#12013] Enhance to fast config Nacos memory setting in startup.sh by environment CUSTOM_NACOS_MEMORY.
[#12072] Support does not impose any limit when totalCountLimit is less than 0.
[#12166] Enhance nacos client init properties logger.
[#12177] Update console header link to new nacos.io.

BugFix

[#10639] Fix the encrypted_data_key is text type so that old version can't upgrade directly.
[#11902] Fix leak of request and response for java native runtime for nacos-client.
[#11926] Fix Nacos can't triggle self protection when disk full in some OS.
[#11951] Fix the problem that the serviceName and groupName are not resolved correctly when deleting an empty service instance.
[#11967] Fix Config can't publish and listen when dataId contains some special words in Window OS.
[#11968] Fix Multiple config change plugin implementation configuration conflicts problem.
[#12022] Fix nacos datasource plugin ClassCastException problem.
[#12060] Fix too large ttl when auth disabled.
[#12146] Fix the operation type does not display when rolling back a configuration with a delete operation type.
[#12168] Fix the labels of the query conditions on the Permission Control - Role Management page are still displayed in Chinese after switching the system language to English.

Dependency

[#11904] Bump Spring Security to 5.7.12.
[#11975] Remove unused dependency javatuple.
[#11980] Bump spring framework to 5.3.34.
[#12135] Upgrade module naocs-console from junit4 to junit5.

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/2.3.2...2.4.0-BETA

nacos - 2.3.2 (Apr 3rd, 2024)

Published by KomachiSion 7 months ago

This version mainly fix #11880 issue, this issue will make nacos-server frequently push config to nacos-client 2.3.1 version even data no changed so that the client and server resource costs.

And at the same time, This version can fix other usage issues found in 2.3.1 and older version.

Detail see:

Enhancement&Refactor

[#11752] Enhance contentPath configurable for AddressServerUrl.
[#11801] Refactor PageHandlerAdapterFactory.
[#11844][#11867][#11903] Refactor connection and client labels content.
[#11895] Enhance response for register service instance for non-connected connection.

BugFix

[#11536] Fix failover triggered problem.
[#11821] Fix announcement api not limit path expression.
[#11835] Fix service removed after server restarted when service contain metadata.
[#11842] Fix response wrong status code for some API.
[#11843] Fix nacos/v2/ns/client/* API response data wrong for batch registered service.
[#11853] Fix nacos-client start failed for native GraalVM.
[#11880] Fix config module frequently push new config data even config no change.

Dependency

[#11874] Bump mysql-connnector-java to 8.0.33
[#11811] Bump Spring Web to 5.3.33
[#11913] Bump console ui dependencies to solve security problem with audit fix.

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/2.3.1...2.3.2

nacos - 2.3.1 (Mar 4, 2024)

Published by KomachiSion 8 months ago

This version mainly do some Enhancement and bugfix for 2.3.0 to improve the usages and stability.

And From this version, Nacos support snowFlake to generate instance id again and usage is same with older version.

For console, this version add an new style of dark mode. Thanks for the community contributors.

Detail see:

Feature

[#9001] Support snowFlakeInstanceId by SPI.
[#11441][#11708] Add console UI Dark mode.

Enhancement&Refactor

[#10846] Support metricsfor grpc server executor and grpc request.
[#11053] Enhance Nacos Client Failover Logic.
[#11306] Change the length of the field named resource from 255 to 128.
[#11514] Check server stream ready state to avoid bytebuffer back up in flow control pending write queue.
[#11518] Enhance the timed incremental reconciliation for configuration center.
[#11521] Add UT coverage for config module.
[#11526] Add service info log when client receive server push data.
[#11571] Fix Persistent services load snapshot will casue data inconsistent by thread safety.
[#11601] Enhance to remove check auth identity key and value for standalone mode.
[#11612] Unified use of NameThreadFactory to create thread pools.
[#11618] Add the config of max thread count for client worker & naming polling.
[#11658] Enhance dump configuration logic to reduce network traffic.
[#11695] Fix PreviousConfigHistory show encrypted configuration problem.
[#11670] Remove direct read logic for configuration center when starting with derby.

BugFix

[#10752] Fix Prometheus sd api security is not compatiable with nacos original security configs.
[#11416] Fix connection count of current node is not accurate.
[#11459] Fix RowMapper is required problem in embedded storage with cluster.
[#11489] Fix PageHandlerAdapterFactory initHandlerAdapters error.
[#11493] Fix service name group check in nacos client.
[#11494] Fix Login api request frequently when disabled auth with 2.x client.
[#11497] Fix ClassCastException when nacos.plugin.datasource.log.enabled=true.
[#11499] Fix address server health check error.
[#11573][#11619][#11624][#11626] Fix default control plugin invalid problem.
[#11595] Fix user update permission problem.
[#11647] Fix logged raft-config always {} problem.
[#11654] Fix server don't send its abilities if client don't send its abilities when setting up connection.
[#11679] Fix totalpush count cannot increase when push fail.
[#11718] Fix ErrorCode have the same code.
[#11701] Fix BatchRegister service might cause distro sync handle exception and data delay after timeout.

Dependency

[#11473] Upgrade logback to 1.2.13.
[#11586] Remove deprecated dependency api of spring security.
[#11422] Upgrade Jraft to 1.3.14.
[#11777] Upgrade console-ui dependencies by npm audit fix to fix some ui security.

nacos - 1.4.7 (Jan 15th, 2024)

Published by KomachiSion 9 months ago

What's Changed

New Contributors

Full Changelog: https://github.com/alibaba/nacos/compare/1.4.6...1.4.7

nacos - 2.3.0 (Nov 30, 2023)

Published by KomachiSion 11 months ago

This version is mainly based on 2.3.0-BETA and has been partially optimized and repaired after more than a month of testing.

The mainly changes same with 2.3.0-BETA, can review the changelogs of 2.3.0-BETA.

Additional, 2.3.0 version support register and deregister persistent instance by Grpc based on ability negotiations feature in 2.3.0-BETA.

And other additional changes focus on enhancements and bugs fix.

Detail see:

Feature

[#11393] Support register or deregister persistent instance by grpc.

Enhancement&Refactor

[#11275] Enhance console ui deploy, show more information like mode.
[#11298] Strip groupNamePrefix of instance serviceName at register or deregister.
[#11310] Simplify the validate method for serviceinfo.
[#11342] Simplify BatchDeregister instances conditions to ip and port.
[#11343] Simplified parameters checker control logic.
[#11352] Refactor topN logic to enhance memory usage and accuracy.

BugFix

[#10353] Handling DataIntegrityViolationException and DuplicateKeyException together.
[#11299] Fix console ui auth pagination failure.
[#11382] Fix console ui listening query pagination failure.
[#11384] Fix console ui comparing configuration failure.
[#11390] Fix Config EncryptionPluginService order problem.
[#11442] Fix listen configuration check failed without namespace.

Dependency

[#11216] Declare httpcore as direct dependency to fix avoid conflict.
[#11396] Upgrade jackson same with spring boot dependency.
[#11439] Upgrade some UI component to solve security problem.

nacos - 2.3.0-BETA (Oct 19, 2023)

Published by KomachiSion about 1 year ago

This version is an important version which include some large changes, so release this pre-release beta version first.

The first main change is support config change hook plugin and control plugin, which it can be extend to pre-check config reformat, change audit, capacity limits, antifragility and notify changes according users need.

The second main change is do many refactor for datasource plugin and module loader. One is make plugin can support more datasource easier and the other will make some user can only open one of feature to save more memory.

The third main change is to support ability negotiations between server and clients, which is an important feature to make nacos smoother compatibility with subsequent features.

The other important changes include: validate most of request parameters, support ssl for grpc connection, many usage enhancement for console ui and bug fix.

Detail see:

feature

[#5698] Support nacos control plugin.
[#8458] Support ability negotiations between server and clients.
[#8460] Support config change hook plugin.
[#10117] Support metrics for nacos client request server exception.
[#10150] Support SSL for grpc connection.
[#10223] Support auto build instance id when client request instance id is null.
[#10288] Support get more module state and switches in console.
[#10734] Support validate most of request parameters.
[#10774] Support toml format for configuration in console ui.
[#10831] Support batch deregister instances for service.
[#10971] Support disable console ui and support add guide information.

Enhancement&Refactor

[#6819] Add page size selector in service details page.
[#8107][#9109][#10169][#10176] Enhance hint when console ui session expired for default auth plugin.
[#9085] Add the Reachability Metadata required by native-image.
[#9821] Enhance datasource plugin to make more datasource implementation easier.
[#9881] Enhance configuration page to supports folding when editing configuration.
[#10067] Enhance Windows compatibility for configuration snapshot.
[#10155] Enhance hints for grpc request when request timeout.
[#10343] Use CMS as default GC when jdk less 9.
[#10361] Refactor module switches to make only load specified module but not only close in console ui.
[#10520] Validate for namespace show name when create new namespace.
[#10521] Enhance the hints for No DataSourceSet error by validate datasource after construction.
[#10539] Enhance logs when opeation configuration failed.
[#10730] Link to v2 document for console ui.
[#10811] Enhance compatibility for colorful service healthy status in console ui.
[#10891] Support setting maximum number of push retries.
[#10930] Forward compatible old version secretKey for default auth plugin.
[#11129] Remove the namespace information from the node list page.
[#11231] Optimize the handleSpringBinder method in PropertiesUtil.

BugFix

[#10056] Fix loss revision of client for distro sync.
[#10128] Fix wrong judgement in raft stateMachine.
[#10149] Fix dead lock on sending connection reset request on server over limit.
[#10271] Fix nacos-client failover switch file path.
[#10318] Fix import configuration problem.
[#10347] Fix only admin role user can register service into default namespace when enabled default auth plugin.
[#10406] Fix jraft install leader snapshot error after disconnection.
[#10427] Fix nacos client no response when handle server request with exception.
[#10464] Fix NPE when concurrent operations for client.
[#10470] Fix some missed i18n for console ui.
[#10509] Fix out data connection not be disconnect problem.
[#10548] Fix switch domain might not load snapshot after restart.
[#10556] Fix index loss for client and service in extreme scenarios.
[#10583] Fix some new API loss auth check.
[#10585] Fix selectInstances and selectOneHealthyInstance methods will not subscribe service problem.
[#10593] Fix invalid create file: dir under nacos.home.
[#10598] Fix nacos-client not random get server address when using address.
[#10606] Fix memory leak for nacos client when user create and shutdown client frequently.
[#10657] Fix NPE when using derby datasource for cluster mode.
[#10935] Fix startsWith judgement wrong when ignoreCase is true.
[#11056] Fix Batch register count size wrong, when batch register sereval time.
[#11059] Fix RPC_CLIENT_TLS_PROTOCOLS setting error.
[#11192] Fix batchRegisterInstance not recalculate revision prblem.
[#11197] Fix frequent do query service when hit protect empty.

Dependency

[#7698] Remove httpasyncclient version dependency management to avoid version conflicts.
[#10416] Upgrade console yaml editor.
[#10648] Optimize Guava Dependency.
[#10893] Upgrade spring boot to 2.7.15.
[#11199] Upgrade grpc version to 1.57.2.

nacos - 2.2.4 (June 20th, 2023) (Client Only)

Published by KomachiSion over 1 year ago

This release only include client part, the server part is same as 2.2.3, please directly use 2.2.3 version server.

In this release, nacos client fix leak of memory and OOM problem in some extremely rare usage and situation:

  1. Frequently create new ConfigService and shutdown old one in Application [#10555].
  2. Frequently create new NamingService and shutdown old one in Application [#10606].
  3. Frequently publish new config by ConfigService in Application [#10471].

If no these extremely rare situation, the old version still no risk.

And for other situation, If use the addressServer to find out the nacos server addresses. One Enhancement to loadbalance the grpc connection in this release: #10598 to random the first choice server address of nacos.

nacos - 1.4.6 (Mar 25th, 2023)

Published by KomachiSion over 1 year ago

该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。

该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。

变更详情:

  • [#10217] Fix can't read application.properties problem.
  • [#10525] Fix nacos client ram role usage problem.
  • #10532 Upgrade spring boot version.
  • #10542 Add classes whitelist for HessianSerializer.

The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.

The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.

Detail:

  • [#10217] Fix can't read application.properties problem.
  • [#10525] Fix nacos client ram role usage problem.
  • #10532 Upgrade spring boot version.
  • #10542 Add classes whitelist for HessianSerializer.
nacos - 2.2.3 (May 25th, 2023)

Published by KomachiSion over 1 year ago

该版本主要针对部分Jraft请求处理时,使用hessian进行反序列化未限制而造成的RCE漏洞进行修复。

该漏洞仅影响7848端口(默认设置下),一般使用时该端口为Nacos集群间Raft协议的通信端口,不承载客户端请求,因此老版本可以通过禁止该端口来自Nacos集群外的请求达到止血目的(如部署时已进行限制或未暴露,则风险可控)。

变更详情:

  • #10318 Fix import problem when disable auth.
  • #10542 Add classes whitelist for HessianSerializer.

The version mainly fixes an RCE vulnerability caused by unbounded use of hessian during some Jraft request processing.

The vulnerability only affects port 7848 (by default), which is typically used as the communication port for Nacos cluster inter-raft protocol and does not handle client requests. Therefore, the risk can be controlled by disabling requests from outside of Nacos clusters (e.g. by limiting or not exposing the port) in older versions.

Detail:

  • #10318 Fix import problem when disable auth.
  • #10542 Add classes whitelist for HessianSerializer.
nacos - 2.2.2 (Apr 11, 2023)

Published by KomachiSion over 1 year ago

Nacos recently released versions 2.2.0.1 and 2.2.1, which have made major changes to the default authentication plugin to remove the some default values of authentication plugin. For details, see Risk Description and 2.2.1 release.

But Nacos default console ui relies on token.secret.key by default, after removing the default value of token.secret.key, many new users who use the latest version image by default have a large number of startup failures. The situation has a great impact on the usability of users.

Therefore, version 2.2.2 is mainly optimized for this problem.

Enhancement&Refactor

[#10153] Close console login page when auth.enabled is false.
[#10276] Default close openssl for client.

BugFix

[#10208] Remove DefaultSettingPropertySource.java.

nacos - 2.2.1 (Mar 17th, 2023)

Published by KomachiSion over 1 year ago

This version is mainly Specially, Remove default value of token.secret.key and server.identity. Detail see: announcement.

And this version upgrade many dependencies such as spring-boot, Grpc, jraft and so on.

What's more, This version add a beta feature, make the grpc request support TLS, and fix some bugs and enhance some usage problems.

Detail see:

feature

[#9276] Add search config by content.
[#9703] add catalog v2 API to support list instances which is un-enabled.
[#9710] Support prometheus-sd basic auth.
[#9888] Beta support Grpc TLS feature.
[#10062] Naming support aliyun STS auth.

Enhancement&Refactor

[#9510] Add sql log print function.
[#9646] Replace concatenated strings with placeholders.
[#9708] Clean expired and invalid connections for HTTP client.
[#9783] Handle public namespaceId as default namespaceId for publish and query config for V2 http api.
[#9837] Enhance Grpc connected time when cluster started to load snapshot quickly.
[#9859] Refactor default auth plugin, use custom JWT instead of jjwt.
[#9860] Adapt logback 1.4.5 by SPI.
[#9885] Add prometheus api exception handling.
[#9949] Use Grpc replace all Http request between servers.
[#9951] Judge the message whether null for metadata processor.
[#10084] Client use Async appender to print log.
[#10108] Remove identity default value.

BugFix

[#9621] Fix Config Client server check always up problem.
[#9728] Fix prometheus http sd only return public namespace problem.
[#9732] Fix namespace v2 api auth not work problem.
[#9734] Fix http login url without default port problem.
[#9795] Fix export config failure problem for non admin user after opening auth.
[#9816] Fix redo data is different from server when register and unregister service with concurrency.
[#9819] Fix update password failure problem after use nginx.
[#9825] Fix config histroy page paged problem.
[#9861] Fix auth check before distro filter.
[#9862] Fix LDAP login failed.
[#9943] Fix Config cas update can't work when using derby database.
[#10014] Clear confused logic about namespace properties.
[#10038] Fix load failover file failure.

Dependency

[#9504][#9767] Upgeade-spring-boot version to 2.6.14.
[#9789] Upgrade jraft version to 1.3.12.
[#9772] Upgrade Grpc version to 1.50.2.
[#9985] Replace flatten-maven-plugin with easyj-maven-plugin.
[#10091] Upgrade snakeYaml to 2.0.

nacos - 1.4.5 (Mar 17th, 2023)

Published by KomachiSion over 1 year ago

This version mainly upgrade the spring boot version to 2.6.8 and do some fix from v2.x.

Specially, Remove default value of token.secret.key and server.identity.

Details see following:

Enhancement

[#9064] Enhance error message and error code by merging #9045 and #8881 into v1.x.
[#10089] Enhance STS auth for naming and async client log into v1.x.
[#10108]Remove identity default value.

BugFix

[#3720] Fix not admin user can change others password by api.
[#8979] Fix some ui problem by merging #8787、#8156 and #7364 into the v1.
[#9020] Fix startup failed without prefix CUSTOM_SEARCH_LOCATIONS.

Dependency

[#8541] Upgrade spring-boot version to 2.6.8.

nacos - 2.2.0.1 (March 2nd, 2023)

Published by KomachiSion over 1 year ago

该版本移除了默认鉴权插件中依赖的nacos.core.auth.plugin.nacos.token.secret.key默认值,在部署新版本时必须要输入自定义的有效token.secret.key 用于登陆后的accessToken生成。

本变更避免开源用户直接使用默认配置时出现的安全风险,提升了开源组件使用的安全性。

旧版本不是必须升级到这个版本, 只需要根据文档修改对应token.secret.key即可修复问题。

变更详情:

  • [#9992] Remove the default token.secret.key.

This version removes nacos.core.auth.plugin.nacos.token.secret.key which is dependent on the default authentication plugin. When deploying with new version, users must set the custom valid token.secret.key to generate accessToken for login.

This change is to avoid security risks when users directly use the default configuration, and improve the security during using this component.

The old version does not have to be upgraded to this version, just modify the token.secret.key according to documentation to repair problem.

Detail:

  • [#9992] Remove the default token.secret.key.
nacos - 2.2.1-RC

Published by KomachiSion almost 2 years ago

Only release for nacos-client to support GraalVM and support native runtime by #9738.

Refer to https://github.com/alibaba/nacos/issues/6869 and https://github.com/alibaba/nacos/issues/9085.

Package Rankings
Top 1.06% on Repo1.maven.org
Badges
Extracted from project README
Gitter License Gitter
Related Projects
GitHubDaily

坚持分享 GitHub 上高质量、有趣实用的开源技术教程、开发者工具、编程网站、技术资讯。A list cool, interesting projects of GitHub.

30 Dec 2018 32,067
opendevops

CODO是一款为用户提供企业多混合云、全球一站式DevOps、自动化运维、完全开源的云管理平台、自动化运维平台

15 Nov 2018 3,790