Releases: gravitational/teleport
Teleport 13.4.26
Description
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Security Fixes
[High] Unrestricted redirect in SSO Authentication
Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41836.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback
feature should modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).
[High] CockroachDB authorization bypass
When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41825.
[High] Long-lived connection persistence issue with expired certificates
Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their certificate has expired. #41829.
[High] PagerDuty integration privilege escalation
When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41831.
[High] SAML IdP session privilege escalation
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41849.
We strongly recommend all customers upgrade to the latest releases of Teleport.
Other fixes and improvements
- Fixed access request annotations when annotations contain globs, regular
expressions, trait expansions, orclaims_to_roles
is used. #41938. - Fixed session upload completion with large number of simultaneous session
uploads. #41852. - Stripped debug symbols from Windows builds, resulting in smaller
tsh
and
tctl
binaries. #41838. - Added read-only permissions for cluster maintenance config. #41792.
- Simplified how Bots are shown on the Users list page. #41738.
- Fixed missing variable and script options in Default Agentless Installer
script. #41721. - Added remote address to audit log events emitted when a Bot or Instance join
completes, successfully or otherwise. #41698. - Upgraded application heartbeat service to support 1000+ dynamic applications. #41628.
- Fixed
systemd
unit to always restart Teleport on failure unless explicitly
stopped. #41583. - Updated Teleport package installers to reload Teleport service config after
upgrades. #41549. - Fixed WebUI SSH connection leak when browser tab closed during SSH connection
establishment. #41520 - Added "login failed" audit events for invalid passwords on password+webauthn
local authentication. #41435 - Allow setting Kubernetes Cluster name when using non-default addresses. #41356.
- Added support to automatically download CA for MongoDB Atlas databases. #41340.
- Added validation for application URL extracted from the web application
launcher request route. #41306. - Allow defining custom database names and users when selecting wildcard during
test connection when enrolling a database through the web UI. #41303. - Updated user management to explicitly deny password resets and local logins to
SSO users. #41272.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
--
labels: security-patch=yes, security-patch-alts=v15.3.4
Teleport 15.3.7
Description
- Fixed creating access requests for servers in Teleport Connect that were blocked due to a "no roles configured" error. #41959
- Fixed regression issue with event-handler Linux artifacts not being available. #4237
- Fixed failed startup on GCP if missing permissions. #41985
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 15.3.6
Description
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Security Fixes
[High] Unrestricted redirect in SSO Authentication
Teleport didn’t sufficiently validate the client redirect URL. This could allow an attacker to trick Teleport users into performing an SSO authentication and redirect to an attacker-controlled URL allowing them to steal the credentials. #41834.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins unless otherwise configured. Users of the tsh login --callback
feature should modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames, supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required to be HTTPS on the standard port (443).
[High] CockroachDB authorization bypass
When connecting to CockroachDB using Database Access, Teleport did not properly consider the username case when running RBAC checks. As such, it was possible to establish a connection using an explicitly denied username when using a different case. #41823.
[High] Long-lived connection persistence issue with expired certificates
Teleport did not terminate some long-running mTLS-authenticated connections past the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their certificate has expired. #41827.
[High] PagerDuty integration privilege escalation
When creating a role access request, Teleport would include PagerDuty annotations from the entire user’s role set rather than a specific role being requested. For users who run multiple PagerDuty access plugins with auto-approval, this could result in a request for a different role being inadvertently auto-approved than the one which corresponds to the user’s active on-call schedule. #41837.
[High] SAML IdP session privilege escalation
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the SAML IdP session creation. As such, authenticated users could use an internal API to escalate their own privileges by crafting a malicious program. #41846.
We strongly recommend all customers upgrade to the latest releases of Teleport.
Other fixes and improvements
- Fixed access request annotations when annotations contain globs, regular
expressions, trait expansions, orclaims_to_roles
is used. #41936. - Added AWS Management Console as a guided flow using AWS OIDC integration in
the "Enroll New Resource" view in the web UI. #41864. - Fixed spurious Windows Desktop sessions screen resize during an MFA ceremony. #41856.
- Fixed session upload completion with large number of simultaneous session
uploads. #41854. - Fixed MySQL databases version reporting on new connections. #41819.
- Added read-only permissions for cluster maintenance config. #41790.
- Stripped debug symbols from Windows builds, resulting in smaller
tsh
and
tctl
binaries. #41787 - Fixed passkey deletion so that a user may now delete their last passkey if
the have a password and another MFA configured. #41771. - Changed the default permissions for the Workload Identity Unix socket to
0777
rather than the default as applied by the umask. This will allow the socket to
be accessed by workloads running as users other than the user that owns the
tbot
process. #41754 - Added ability for
teleport-event-handler
to skip certain events type when
forwarding to an upstream server. #41747. - Added automatic GCP label importing. #41733.
- Fixed missing variable and script options in Default Agentless Installer
script. #41723. - Removed invalid AWS Roles from Web UI picker. #41707.
- Added remote address to audit log events emitted when a Bot or Instance join
completes, successfully or otherwise. #41700. - Simplified how Bots are shown on the Users list page. #41697.
- Added improved-performance implementation of ProxyCommand for Machine ID and
SSH. This will become the default in v16. You can adopt this new mode early by
settingTBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new
. #41694. - Improved EC2 Auto Discovery by adding the SSM script output and more explicit
error messages. #41664. - Added webauthn diagnostics commands to
tctl
. #41643. - Upgraded application heartbeat service to support 1000+ dynamic applications. #41626
- Fixed issue where Kubernetes watch requests are written out of order. #41624.
- Fixed a race condition triggered by a reload during Teleport startup. #41592.
- Updated discover wizard Install Script to support Ubuntu 24.04. #41589.
- Fixed
systemd
unit to always restart Teleport on failure unless explicitly stopped. #41581. - Updated Teleport package installers to reload Teleport service config after
upgrades. #41547. - Fixed file truncation bug in Desktop Directory Sharing. #41540.
- Fixed WebUI SSH connection leak when browser tab closed during SSH connection
establishment. #41518. - Fixed AccessList reconciler comparison causing audit events noise. #41517.
- Added tooling to create SCIM integrations in tctl. #41514.
- Fixed Windows Desktop error preventing rendering of the remote session. #41498.
- Fixed issue in the PagerDuty, Opsgenie and ServiceNow access plugins that
causing duplicate calls on access requests containing duplicate service names.
Also increases the timeout so slow external API requests are less likely to
fail. #41488. - Added basic Unix workload attestation to the
tbot
SPIFFE workload API. You
can now restrict the issuance of certain SVIDs to processes running with a
certain UID, GID or PID. #41450. - Added "login failed" audit events for invalid passwords on password+webauthn
local authentication. #41432.
Fixed Terraform provider issue causing the Provision Token options to default
tofalse
instead of empty. #41429. - Added support to automatically download CA for MongoDB Atlas databases. #41338.
- Fixed broken "finish" web page for SSO Users on auto discover. #41335.
- Allow setting Kubernetes Cluster name when using non-default addresses. #41331.
- Added fallback on GetAccessList cache miss call. #41326.
- Fixed DiscoveryService panic when auto-enrolling EKS clusters. #41320.
- Added validation for application URL extracted from the web application launcher request route. #41304.
- Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41301.
- Fixed broken link for alternative EC2 installation during EC2 discover flow. #41292
- Updated Go to v1.21.10. #41281.
- Updated user management to explicitly deny password resets and local logins to
SSO users. #41270. - Fixed fetching suggested access lists with large IDs in Tel...
Teleport 14.3.20
Description
This release contains fixes for several high-severity security issues, as well as numerous other bug fixes and improvements.
Security Fixes
[High] Unrestricted redirect in SSO Authentication
Teleport didn’t sufficiently validate the client redirect URL. This could allow
an attacker to trick Teleport users into performing an SSO authentication and
redirect to an attacker-controlled URL allowing them to steal the credentials.
#41834.
Warning: Teleport will now disallow non-localhost callback URLs for SSO logins
unless otherwise configured. Users of the tsh login --callback
feature should
modify their auth connector configuration as follows:
version: vX
kind: (saml|oidc|github)
metadata:
name: ...
spec:
...
client_redirect_settings:
allowed_https_hostnames:
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
The allowed_https_hostnames
field is an array containing allowed hostnames,
supporting glob matching and, if the string begins and ends with ^
and $
respectively, full regular expression syntax. Custom callback URLs are required
to be HTTPS on the standard port (443).
[High] CockroachDB authorization bypass
When connecting to CockroachDB using Database Access, Teleport did not properly
consider the username case when running RBAC checks. As such, it was possible to
establish a connection using an explicitly denied username when using a
different case. #41823.
[High] Long-lived connection persistence issue with expired certificates
Teleport did not terminate some long-running mTLS-authenticated connections past
the expiry of client certificates for users with the disconnect_expired_cert
option. This could allow such users to perform some API actions after their
certificate has expired.
#41827.
[High] PagerDuty integration privilege escalation
When creating a role access request, Teleport would include PagerDuty
annotations from the entire user’s role set rather than a specific role being
requested. For users who run multiple PagerDuty access plugins with
auto-approval, this could result in a request for a different role being
inadvertently auto-approved than the one which corresponds to the user’s active
on-call schedule.
#41837.
[High] SAML IdP session privilege escalation
When using Teleport as SAML IdP, authorization wasn’t properly enforced on the
SAML IdP session creation. As such, authenticated users could use an internal
API to escalate their own privileges by crafting a malicious program.
#41846.
We strongly recommend all customers upgrade to the latest releases of Teleport.
Other fixes and improvements
- Fixed session upload completion in situations where there's a large number of in-flight session uploads. #41853
- Debug symbols are now stripped from Windows builds, resulting in smaller tsh and tctl binaries. #41839
- Fixed an issue that the server version of the registered MySQL databases is not automatically updated upon new connections. #41820
- Add read-only permissions for cluster maintenance config. #41791
- Simplified how Bots are shown on the Users list page. #41739
- Fix missing variable and script options in Default Agentless Installer script. #41722
- Improved reliability of aggregated usage reporting with some cluster state storage backends (Teleport Enterprise only). #41703
- Adds the remote address to audit log events emitted when a join for a Bot or Instance fails or succeeds. #41699
- Allow the application service to heartbeat on behalf of more than 1000 dynamic applications. #41627
- Ensure responses to Kubernetes watch requests are written sequentially. #41625
- Install Script used in discover wizard now supports Ubuntu 24.04. #41588
- Ensured that systemd always restarts Teleport on any failure unless explicitly stopped. #41582
- Teleport service config is now reloaded on upgrades. #41548
- Fix AccessList reconciler comparison causing audit events noise. #41541
- Prevent SSH connections opened in the UI from leaking if the browser tab is closed while the SSH connection is being established. #41519
- Emit login login failed audit events for invalid passwords on password+webauthn local authentication. #41433
- Allow setting Kubernetes Cluster name when using non-default addresses. #41355
- Added support to automatically download CA for MongoDB Atlas databases. #41339
- Fix broken finish web page for SSO user's on auto discover. #41336
- Add fallback on GetAccessList cache miss call. #41327
- Validate application URL extracted from the web application launcher request route. #41305
- Allow defining custom database names and users when selecting wildcard during test connection when enrolling a database through the web UI. #41302
- Updated Go to v1.21.10. #41282
- Forbid SSO users from local logins or password changes. #41271
- Prevents Cloud tenants from updating
cluster_networking_config
fieldskeep_alive_count_max
,keep_alive_interval
,tunnel_strategy
, orproxy_listener_mode
. #41248
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
--
labels: security-patch=yes, security-patch-alts=v14.3.19
Teleport 15.3.1
Description
- Fixed
screen_size
behavior for Windows Desktops, which was being overridden by the new resize feature. #41241 - Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41221
- Added indicators on the account settings page that tell which authentication methods are active. #41169
- Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41158
- Fixed
AccessDeniedException
fordynamodb:ConditionCheckItem
operations when using AWS DynamoDB for cluster state storage. #41133 - Added lock target to lock deletion audit events. #41112
- Fixed a permissions issue that prevented the teleport-cluster helm chart operator from registering agentless ssh servers. #41108
- Improve the reliability of the upload completer. #41103
- Allows the listener for the
tbot
database-tunnel
service to be set to a unix socket. #41008
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 14.3.18
Description
- Ensure that the active sessions page shows up in the web UI for users with permissions to join sessions. #41222
- Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41157
- Add lock target to lock deletion audit events. #41111
- Improve the reliability of the upload completer. #41104
- Allows the listener for the tbot database-tunnel service to be set to a unix socket. #41042
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 13.4.24
Description
- Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. #41159
- Add lock target to lock deletion audit events. #41110
- Fix user SSO bypass by performing a local passwordless login. #41072
- Enforce allow_passwordless server-side. #41059
- Improved error message when performing an SSO login with a hardware key. #40925
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 15.3.0
Description
Improved Roles UI
The Roles page of the web UI is now backed by a paginated API, ensuring fast
load times even on clusters with large numbers of roles.
Resizing for Windows desktop sessions
Windows desktop sessions now automatically resize as the size of the browser
window changes.
Hardware key support for agentless nodes
Teleport now supports connecting to agentless OpenSSH nodes even when Teleport
is configured to require hardware key MFA checks.
TPM joining
The new TPM join method enables secure joining for agents and Machine ID bots
that run on-premise. Based on the secure properties of the host's hardware
trusted platform module, this join method removes the need to create and
distribute secret tokens, significantly reducing the risk of exfiltration.
Other improvements and fixes
- Fixed user SSO bypass by performing a local passwordless login. #41067
- Enforce allow_passwordless server-side. #41057
- Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41045
- Added resize capability to windows desktop sessions. #41025
- Fixed a regression causing roles filtering to not work. #40999
- Allow AWS integration to be used for global services without specifying a valid region. #40991
- Made account id visible when selecting IAM Role for accessing the AWS Console. #40987
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 14.3.17
Description
- Fixed user SSO bypass by performing a local passwordless login. #41071
- Enforce allow_passwordless server-side. #41058
- Fixed a memory leak caused by incorrectly passing the offset when paginating all Access Lists' members when there are more than the default pagesize (200) Access Lists. #41044
- Fixed a regression causing roles filtering to not work. #41000
- Allow AWS integration to be used for global services without specifying a valid region. #40990
- Fixed access requests lingering in the UI and tctl after expiry. #40965
- Made
podSecurityContext
configurable in theteleport-cluster
Helm chart. #40950 - Allow mounting extra volumes in the updater pod deployed by the
teleport-kube-agent
chart. #40949 - Improved error message when performing an SSO login with a hardware key. #40924
- Fixed a bug in the
teleport-cluster
Helm chart that happened whensessionRecording
wasoff
. #40920 - Allows setting additional Kubernetes labels on resources created by the
teleport-cluster
Helm chart. #40916 - Fixed audit event failures when using DynamoDB event storage. #40912
- Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40907
- Introduced the tpm join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40875
- Issue cert.create events during device authentication. #40873
- Add the ability to control
ssh_config
generation in Machine ID's Identity Outputs. This allows the generation of thessh_config
to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40862 - Prevented deleting AWS OIDC integration used by External Audit Storage. #40853
- Reduced parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40812
- Added hardware key support for agentless connections #40929
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 15.2.5
Description
- Extend proxy templates to allow the target host to be resolved via a predicate expression or fuzzy matching. #40966
- Fix an issue where access requests would linger in UI and tctl after expiry. #40964
- The
teleport-cluster
Helm chart can configure AccessMonitoring when running inaws
mode. #40957 - Make
podSecurityContext
configurable in theteleport-cluster
Helm chart. #40951 - Allow to mount extra volumes in the updater pod deployed by the
teleport-kube-agent
chart. #40946 - Improve error message when performing an SSO login with a hardware key. #40923
- Fix a bug in the
teleport-cluster
Helm chart that happened whensessionRecording
wasoff
. #40919 - Fix audit event failures when using DynamoDB event storage. #40913
- Allow setting additional Kubernetes labels on resources created by the
teleport-cluster
Helm chart. #40909 - Fix Windows cursor getting stuck. #40890
- Issue
cert.create
events during device authentication. #40872 - Add the ability to control
ssh_config
generation in Machine ID's Identity Outputs. This allows the generation of thessh_config
to be disabled if unnecessary, improving performance and removing the dependency on the Proxy being online. #40861 - Prevent deleting AWS OIDC integration used by External Audit Storage. #40851
- Introduce the
tpm
join method, which allows for secure joining in on-prem environments without the need for a shared secret. #40823 - Reduce parallelism when polling AWS resources to prevent API throttling when exporting them to Teleport Access Graph. #40811
- Fix spurious deletion of Access List Membership metadata during SCIM push or sync. #40544
- Properly enforce session moderation requirements when starting Kubernetes ephemeral containers. #40906
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.