v1.21.1 is a security-focused patch release addressing findings from a formal security audit, including XSS, gzip bomb, and memory amplification vulnerabilities — upgrade immediately.
securityUpgrade immediately — multiple audit findings patched
This release backports fixes from a formal security audit (V01–V07). The vulnerabilities include a stored XSS on status pages, a gzip bomb in the OTLP ingestion path, memory amplification via malformed native histogram payloads, and gossip port exposure to flood/OOM attacks. These are not theoretical — they are exploitable by any client that can reach your Cortex endpoints. Upgrade to v1.21.1 now. After upgrading, review your -distributor.otlp-max-recv-msg-size setting; the default may be too permissive depending on your ingest volume.
securityAudit your /config endpoint exposure
Prior to this release, Swift, etcd, Redis, and HTTP basic-auth credentials were exposed in plaintext on the /config endpoint. If that endpoint was accessible to internal users or scraping systems, treat those credentials as compromised and rotate them. Going forward, restrict /config access via network policy or auth middleware regardless of masking.
enhancementHarden memberlist gossip with new bounding flags
Three new flags (-memberlist.packet-read-timeout, -memberlist.max-packet-size, -memberlist.max-concurrent-connections) cap inbound gossip TCP behavior. The defaults are reasonable, but if your Cortex cluster is exposed to less-trusted network segments or you've seen gossip-related OOM events, tune these explicitly. Add them to your Helm values or config management before the next planned maintenance window.
主な変更 (7)
- Stored XSS fixed in Alertmanager and Store Gateway status pages (text/template replaced with html/template)
- Gzip decompression now capped by -distributor.otlp-max-recv-msg-size to prevent decompression bomb attacks
- Native histogram protobuf size limited to 16 KB by default via -validation.max-native-histogram-size-bytes to block memory amplification
- Memberlist gossip port hardened with new flags for packet read timeout, max packet size, and max concurrent connections
- Credentials for Swift, etcd, Redis, and HTTP basic-auth are now masked on the /config endpoint
- PushStream requests with mismatched TenantID are rejected; HMAC-SHA256 stream auth added via -distributor.sign-write-requests-keys
- Panic fixed when grpc_compression is set to snappy on ingester or store-gateway clients