fix(deps): update module github.com/nats-io/nats-server/v2 to v2.10.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/nats-io/nats-server/v2	v2.10.1 -> v2.10.4

GitHub Vulnerability Alerts

CVE-2023-47090

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

NATS users exist within accounts, and once using accounts, the old authorization block is not applicable.

Problem Description

Without any authorization rules in the nats-server, users can connect without authentication.

Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block.

If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the no_auth_user account, enabling the same "without authentication" logic as without any rules.

This preserved the ability to connect simply, and then add one authenticated login for system access.

But with an "authorization" block, this is wrong. Users exist in the global account, with login rules. And in simple testing, they might still connect fine without administrators seeing that authentication has been disabled.

The blind-spot on our part came from encouraging and documenting a switch to using only "accounts", instead of "authorization".

In the fixed versions, using an "authorization" block will inhibit the implicit creation of a "$G" user and setting it as the no_auth_user target. In unfixed versions, just creating a second account, with no users, will also inhibit this behavior.

Affected versions

NATS Server:

• 2.2.0 up to and including 2.9.22 and 2.10.1
• Fixed with nats-io/nats-server: 2.10.2 and backported to 2.9.23

Workarounds

In the "accounts" block, define a second non-system account, leave it empty.

accounts {
    SYS: {
        users: [
            { user: sysuser, password: makemeasandwich }
        ]
    }
    DUMMY: {}  # for security, before 2.10.2
}
system_account: SYS

Solution

Any one of these:

1. Upgrade the NATS server to at least 2.10.2 (or 2.9.23)
2. Or define a dummy account
3. Or complete the migration of authorization entries to be inside a named account in the "accounts" block

Credits

Problem reported by Alex Herrington.
Addressed publicly in a GitHub Discussion prior to this advisory.

CVE-2023-46129

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts.

Problem Description

The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key.

This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY.

Affected versions

nkeys Go library:

• 0.4.0 up to and including 0.4.5
• Fixed with nats-io/nkeys: 0.4.6

NATS Server:

• 2.10.0 up to and including 2.10.3
• Fixed with nats-io/nats-server: 2.10.4

Solution

Upgrade the nats-server.
For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.

Credits

Problem reported by Quentin Matillat (GitHub @​tinou98).

---

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.10.4

Compare Source

Changelog

Refer to the 2.10 Upgrade Guide for backwards compatibility notes with 2.9.x.

CVEs

• CVE-2023-46129 - nkeys: xkeys seal encryption used fixed key for all encryption

Go Version

• 1.21.3

Dependencies

• github.com/nats-io/nats.go v1.31.0
• github.com/nats-io/nkeys v0.4.6
• github.com/klauspost/compress v1.17.2
• golang.org/x/crypto v0.14.0
• golang.org/x/sys v0.13.0

Added

JetStream

• Report Raft group name in stream and consumer info responses (#​4661)

MQTT

• Add config options to disable QoS 2 support (#​4705)

TLS

• Add opt-in TLS handshake first for client connections (#​4642)

Improved

Dependencies

• Remove unnecessary constraints dependency for ordered constraint (#​4709) Thanks to @​misterpickypants for the contribution!

JetStream

• Add internal pprof labels as metadata to the stream config for improved debuggability (#​4662)
• Stricter management of Raft state, which should improve recovery from a leaderless state (#​4684)
• Avoid unnecessary reallocations when writing the full filestore state to disk (#​4687)
• Improve recovery of blocks that are being updated midway (#​4692)
• Recycle filestore buffers on rebuild and write out full state prior to snapshotting (#​4699)
• Extend AckTerm advisory event to support a reason (#​4697)
• Improve time to select skip list and starting sequence number for deliver last by subject (#​4712, #​4713) Thanks to @​StanEgo for the report!
• Optimize loading messages on last by subject if max messages per subject is one (#​4714)

MQTT

• No longer require a server name to be set for a standalone server (#​4679)

Routes

• Remove unnecessary account lookups for pinned accounts (#​4686)
• Upgrade non-solicited routes if present in config (#​4701, #​4708)

Systemd

• Use correct network target to prevent host-dependent race conditions when establishing external connections (#​4676)

Fixed

Configuration

• Fix possible panic during configuration reload during a server shutdown (#​4666)

Exports/imports

• Prevent service import from duplicating MSG as HMSG with a remapped subject (#​4678) Thanks to @​izwerg for the report!

JetStream

• Fix panic if store error occurs when requesting consumer info (#​4669)
• Fix incorrect calculation of num pending with a filtered subject (#​4693) Thanks to @​a-h for the report!
• Prevent purge of entire stream when targeting a sequence of 1 (#​4698) Thanks to @​john-bagatta for the report!
• Ensure there is a valid messages queue prior to processing within a mirror (#​4700)
• Avoid concurrent consumer setLeader calls resulting in chance of multiple leaders (#​4703)

MQTT

• Fix memory leak for retained messages (#​4665) Thanks to @​pricelessrabbit for the contribution!

Windows

• Ensure signal handler is stopped when shutting down on Windows to prevent goroutine leak (#​4690)

Complete Changes

v2.10.3

Compare Source

Changelog

Refer to the 2.10 Upgrade Guide for backwards compatibility notes with 2.9.x.

Go Version

• 1.21.3

Fixed

JetStream

• Reclaim more space with streams having many interior deletes during compaction with compression enabled (#​4645)
• Fixed updating a non unique consumer on workqueue stream not returning an error. Thanks to @​mdawar for the contribution (#​4654)
• Stream / KV lookups fail after decreasing history size (#​4656)
• Only mark fs as dirty vs full write on mb compaction (#​4657)

MQTT

• Fix crash in MQTT layer with outgoing PUBREL header (#​4646)

Complete Changes

v2.10.2

Compare Source

Changelog

Downgrade compatibility note

2.10.x brings on-disk storage changes which bring significant performance improvements. Upgrade existing server versions will handle the new storage format transparently. However, if a downgrade from 2.10.x occurs, the old version will not understand the format on disk with the exception 2.9.22 and any subsequent patch releases for 2.9. So if you upgrade from 2.9.x to 2.10.0 and then need to downgrade for some reason, it must be back to 2.9.22+ to ensure the stream data can be read correctly.

Go Version

• 1.21.2

Dependencies

• github.com/nats-io/nats.go v1.30.2

Added

Profiling

• Add prof_block_rate config option for configuring the block profile (#​4587)
• Add more pprof labels to consumers, sources, and mirrors (#​4609)

Improved

Core

• Reduce contention when pattern matching subjects when the sublist cache is disabled (#​4586)
• Various service import reply optimizations (#​4591)
• Remove unnecessary lock on subscription list if cache is disabled (#​4594)

Docs

• Fix links in various repo markdown files (#​4590) Thanks to @​jdhenke for the contribution!

Leafnodes

• Set S2 writer concurrency to 1 rather than the default of GOMAXPROCS to improve performance (#​4570)

JetStream

• Make install snapshot errors rate limited when catching up (#​4574)
• Log a warning on reset if bad stream state is detected (#​4583)
• Change some contended locks to atomic swap operations (#​4585)
• Log a warning if filestore recovery fails on the happy path (#​4599)
• Ensure concurrent stream of the same stream does not return not found (#​4600)
• Add additional markers for indicating unflushed state (#​4601)
• Log a warning when subject skew is detected in the filestore (#​4606)
• Reduce contention for a high number of connections in JetStream enabled account (#​4613)
• Reduce contention in the consumer info API (#​4615)
• Reduce contention and increase throughput of replica synchronization (#​4621)

Systemd

• Update systemd scripts to use SIGUSR2 (lame duck model) for shutdown (#​4603)

WebSocket

• Minimize memory growth for compressed WebSocket connections (#​4620)
• Significantly reduce allocations in WebSocket interface (#​4623)

Fixed

Accounts

• Fix inversion of lock on startup when setting up the account resolver (#​4588)
• Prevent bypassing authorization block when enabling system account access in accounts block (#​4605) Thanks to @​alexherington for the report!

Leafnodes

• Prevent a leafnode cluster from receiving a message multiple times in a queue subscription (#​4578) Thanks to @​pcsegal for the report!

JetStream

• Fix possible panic due to message block unlock occurring prematurely (#​4571)
• Guard against an accounting error resulting in a negative message count (#​4575)
• Skip enabling direct gets if no commits (#​4576)
• In lame duck mode, shutdown JetStream at the start to signal transfer of leadership if the leader (#​4579)
• Fix possible stream assignment race condition (#​4589)
• Fix race condition during leader failover scenarios resulting in potential duplicate messages being sourced (#​4592)
• Respond with “not found” for consumer info if consumer is closed (#​4610)
• Prevent processing of consumer assignments after JetStream shutdown occurs (#​4625)
• Fix possibly lookup misses when MaxMsgsPerSubject=1 leading to excess messages in stream (#​4631)

MQTT

• Fix PUBREL header incompatibility (#​4616)

Routes

• Fix potential of pinned accounts not establishing a route on connect (#​4602)

Complete Changes

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.