SPIRE
v1.13.6Securityv1.13.6 patches two serious security vulnerabilities in SPIRE: an EC2 instance impersonation flaw in the AWS IID attestor and a race condition in join token handling. Upgrade immediately.
securityUpgrade now if you use AWS IID node attestation
The AWS IID attestor vulnerability is severe: any attacker controlling an EC2 instance could forge the identity of any other EC2 instance in your environment during node attestation. All downstream RBAC, SVID issuance, and workload identity decisions would operate on the forged identity. If you run SPIRE with the aws_iid server plugin, treat this as a critical incident — patch to v1.13.6 before doing anything else. Review your SPIRE server logs for unexpected node attestation events from EC2 instances, especially cross-account or cross-region patterns.
securityAudit join token usage if you allow concurrent agent bootstrapping
The TOCTOU bug in join token handling means two agents racing to attest with the same token could both succeed — violating the one-time-use guarantee. In practice this could allow unauthorized agents to join your trust domain. After upgrading, rotate any join tokens that may have been used during periods of concurrent agent bootstrapping. If you use join tokens in automation (e.g., init containers, CI pipelines), review whether parallel execution could have triggered this race.
主な変更 (3)
- Fixed AWS IID attestor bug where PKCS7 signature was verified against embedded content but identity was parsed from an attacker-controlled field — enabling full EC2 impersonation during node attestation
- Fixed TOCTOU race in join token attestation: concurrent requests with the same token could both succeed; now enforced via read-modify-write transaction with row locking
- Both vulnerabilities reported by Tianshuo Han; no new features or other changes in this release