SPIRE
v1.14.6SecuritySPIRE v1.14.6 patches two critical security vulnerabilities in node attestation: an EC2 instance impersonation flaw and a race condition in join token validation.
securityUpgrade immediately if using aws_iid node attestation
The aws_iid bug is severe: any EC2 instance under attacker control could forge the identity of any other EC2 instance during attestation, bypassing all downstream SPIFFE ID assignment and workload authorization. If you use aws_iid attestation in any environment, treat this as a critical breach risk and upgrade to v1.14.6 now. After upgrading, audit your node attestation logs for anomalous registrations — specifically instances claiming identities inconsistent with their actual AWS metadata.
securityJoin token race condition allows double-registration — patch now
The TOCTOU flaw means two concurrent requests with the same join token could both complete attestation successfully, resulting in two agents registered under one token. If join tokens are distributed in automated pipelines or ephemeral environments, an attacker who intercepts a token could race a legitimate agent to claim it. Upgrade to v1.14.6, then review your join token issuance and revocation policies. Consider switching to shorter-lived tokens or alternative attestation methods like x509pop for sensitive workloads.
Key changes (3)
- Fixed aws_iid attestor: PKCS7 signature was verified against embedded content, but identity was parsed from an attacker-controlled field — allowing any EC2 instance to impersonate any other.
- Fixed join token TOCTOU race: concurrent attestations with the same token could both succeed due to silent no-op deletes. Now uses row-locked read-modify-write transactions.
- Both vulnerabilities reported by Tianshuo Han.