This release addresses a security issue as documented in CVE-2022-31066.
Users should upgrade to EdgeX Foundry Kamakura release (2.2.0) or to the June 2022 EdgeX Foundry LTS Jakarta release (2.1.1).
If using the Docker Compose files provided by EdgeX to get and run the Jakarta EdgeX release, the compose files have already been updated to use version 2.1.1 of the services. If you use the EdgeX Jakarta snap as provided by the snapcraft store, it has also been updated to use the 2.1.1 service versions.
Bug Fixes in this release
- The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus
- Additional bug fixes (these fixes were already fixed in Kamakura, but were also fixed in this Jakarta patch given the need to create a patch release to address the CVE):
- In providing a service's configuration, use deepCopy of messageBusInfo in order to avoid external additions (fixes issues #4021 and #1108).
- Added the Swagger endpoint missing from the App Functions SDK documentation (fixes issue #1075)
- Add a missing volume for inventory snap shot data for the LLRP App Service (fixes issue #211)
- Added a missing PATCH method for Metadata Addresses (fixes issue #686)
- Upgraded to eKuiper 1.4.4 which fixes a duplicate subscription issue (fixes issue #246)
- The version of device services was not set properly and device service SDK version was never set (fixes issue: #172)
- Corrected an issue whereby attempting to override the AppCustom configuration settings with environment variables if an existing value is already in Consul was not working (fixes #314)
- Addressed a concurrency issue discovered when accessing the same topicName and messageChannel (fixes issue: #130).
- In the app functions SDK, the pipeline child context was not passed to response handler and instead was using the initial context passed in (fixes #1010).
- Services calling on the secret store (Vault) would find that when the secret path is not exist, Vault will return 404 and resp.Body will not be closed in getAllKeys() API request (fixes issue #145)
- In the EdgeX Foundry snap, the snap was unable to seed runtime security-proxy config options (fixes #3863).
Using snaps, resolved an issue whereby the edgexfoundry snap could not be installed after a device service or application service snap got installed because of token availability (fixes # 3827)
See the Jakarta Issue project board for more details.
SDK Dot Releases
The following SDKs were also released as part of this patch release. Please note that device and application functions SDKs can and do release minor versions independently.
- Go SDK, DS: 2.1.1
- App Functions SDK: 2.1.1
Device and Application Services
These services where released with the patch release. Please note that device and application services can and do release minor versions independently.
- device-snmp-go v2.1.1
- device-modbus-go v2.1.1
- device-mqtt-go v2.1.1
- device-gpio v2.1.1
- device-virtual-go v2.1.1
- device-rest-go v2.1.1
- app-service-configurable v2.1.1
- app-rfid-llrp-inventory v2.1.1