From time to time, we make a public service announcement for those that remain on the Apache code. The announcement is pretty simple, the code you are running in production has major, known security vulnerabilities. We strongly recommend that you upgrade to the latest release.
If you simply won’t move to the latest release for licensing reasons you should at least upgrade to RELEASE.2021-04-22T15-44-28Z to avoid being affected by CVEs that have been fixed prior to that. Again, we strongly recommend the most recent version, but understand some organizations simply will not for licensing reasons.
According to our estimates, there are at least 24.5 million currently deployed versions of MinIO that are exposed to these vulnerabilities. In 2022 alone we addressed nearly 800 bugs in 94 releases and dozens of new features. If you are more than two years back that is 1,600+ bugs, nearly 200 releases and nearly 100 new features. Backporting any of these changes would bring the AGPL license along with it.
Still, it is the security risks that are top of mind in the enterprise today. Here are a few of the major security issues that characterize the types of risks the organization incurs by running older code. This should not be viewed as the definitive list of open issues.
- Privilege escalation in `AddUser` admin API. It affects all MinIO releases since RELEASE.2019-07-31T18-57-56Z and has been fixed by RELEASE.2021-12-27T07-23-18Z.
This security issue allows a user to extend its privileges by updating / or overwriting the a S3 policy via the ‘AddUser’ API call. Hence, a user can gain access to resources that shouldn’t be accessible.
- A denial-of-service (DOS) vulnerability by establishing HTTP keep-alive connections. It affects all MinIO releases since RELEASE.2019-09-25T18-25-51Z and has been fixed by RELEASE.2022-06-02T02-11-04Z.
This security issue allows malicious clients to consume resources on MinIO by opening HTTP connections such that MinIO at some point crashes.
- Path traversal and information disclosure in admin API. It affects all MinIO releases since RELEASE.2020-07-24T22-43-05Z and has been fixed by RELEASE.2022-07-29T19-40-48Z.
This security issue enables MinIO clients with the ‘admin:ServerUpdate’ permission to obtain arbitrary data from the server/container MinIO is running on by sending a malicious request. In particular, MinIO can be tricked into sending secrets, like ‘/etc/passwd’, containing access information and other sensitive data.
These three CVEs with a severity rating of HIGH affect MinIO deployments still using Apache-licensed code. Upgrading these deployments to the latest Apache-licensed release (RELEASE.2021-04-22T15-44-28Z) will not fix these security issues. To address these issues users should upgrade to the latest AGPL v3 release.
Again, this does not account for minor security issues, bug fixes, feature or other enhancements as noted above.
Two of these three CVEs, when exploited, can cause data leakage and worst case data loss and malicious take-over of the affected MinIO cluster.
The three issues listed above can ONLY be remedied by moving the latest release. The following two CVEs can be mitigated by moving to the last Apache release (RELEASE.2021-04-22T15-44-28Z):
- Server-side request forgery (SSRF) in MinIO Browser API. It affects all MinIO releases since RELEASE.2019-12-17T23-16-33Z and has been fixed by RELEASE.2021-01-30T00-20-58Z.
- Authentication bypass in the MinIO admin API. It affects all MinIO releases since RELEASE.2019-12-17T23-16-33Z and has been fixed by RELEASE.2020-04-23T00-58-49Z.
How to fix this?!
If you are on a release before RELEASE.2022-07-29T19-40-48Z you are running a MinIO version that has at least one known CVE with a rating of HIGH.
We recommend to upgrade to the latest MinIO server release or, if that is not possible right now, at least upgrade to RELEASE.2022-07-29T19-40-48Z.
See Best Practices for Updates and Restarts for detailed instructions.