Case Study DigitalRoute Case Study: Success Story

Product UpdatesSecurity

2 min read

Releases of KrakenD EE 2.7.1 and KrakenD CE 2.7.1 with minor fixes

by Albert Lombarte

A new patch version of KrakenD Enterprise 2.7.1 and KrakenD Community 2.7.1 is now available on the download page and the Docker registry. This update addresses minor functionality and security improvements.

This release is classified as a security release due to CVE-2024-28180. The vulnerability could allow an attacker to send a JWE containing compressed data, which could consume significant memory and CPU resources when decompressed. However, KrakenD does not support JWE, so this issue is a false positive in security scans. Despite no risk to users, we have upgraded several libraries to ensure KrakenD is not flagged by security tools, including OpenTelemetry, and Gcloud.

The changes for both products are:

🚀 Summary of changes for EEv2.7

Minor security fixes and JWK caching

  • Updated the JOSE library to unflag the vulnerability CVE-2024-28180 from scanner, even it does not affect KrakenD.
  • The gocloud library has been updated to a higher version (includes minor security fixes for PubSub, Secrets, Azure and AWS integrations)
  • OpenTelemetry libraries updated
  • Go language updated to v1.22.7
  • The check plugin command printed unnecessarily the help command
  • Prevent a failing Identity Provider to be queried constantly by introducing the property failed_jwk_key_cooldown
  • OpenAPI was generating incorrect URL patterns with placeholders by decoding its special chars
  • OpenAPI did not accept keys with dots in the schemas
  • OpenAPI did not have dynamic routing into account and required to manually declare input_headers and input_query_strings, which are now automatic
  • Tiered rate limit durations were incorrectly parsed
  • Inheritance in the extended flexible configuration didn’t allow special chars

Upgrading to the latest version is always advised.

🚀 Summary of changes for CEv2.7

Minor security fixes and JWK caching

  • Updated the JOSE library to unflag the vulnerability CVE-2024-28180 from scanner, even it does not affect KrakenD.
  • The gocloud library has been updated to a higher version (includes minor security fixes for PubSub, Secrets, Azure and AWS integrations)
  • OpenTelemetry libraries updated
  • Go language updated to v1.22.7
  • The check plugin command printed unnecessarily the help command
  • Prevent a failing Identity Provider to be queried constantly by introducing the property failed_jwk_key_cooldown

Upgrading to the latest version is always advised.

Scarf

Stay up to date with KrakenD releases and important updates