SPIRE
v1.13.4SecuritySPIRE v1.13.4 fixes two critical security vulnerabilities in node attestor plugins that could enable SSRF attacks and CPU exhaustion attacks.
securityUpgrade immediately to patch critical vulnerabilities
Two severe vulnerabilities affect node attestation security. The http_challenge plugin SSRF flaw lets attackers probe internal networks, while the x509pop plugin can be exploited for DoS attacks. Update to v1.13.4 immediately and audit recent attestation logs for suspicious activity.
securityReview node attestor plugin configurations
If you use http_challenge or x509pop attestor plugins, verify your network security controls and consider temporary restrictions on node attestation endpoints until the upgrade is complete. Monitor CPU usage patterns during attestation processes.
Key changes (4)
- Fixed SSRF vulnerability in http_challenge server node attestor allowing attackers to redirect server requests
- Patched CPU exhaustion attack vector in x509pop server node attestor plugin
- Both vulnerabilities affected the node attestation process used for workload identity verification
- Security fixes address potential unauthorized access and denial of service scenarios