This release addresses a security issue as documented in CVE-2022-31066.
Users should upgrade to EdgeX Foundry Kamakura release (2.2.0) or to the June 2022 EdgeX Foundry LTS Jakarta release (2.1.1).
Bug Fixes in this release
- The /api/v2/config endpoint exposes message bus credentials to local unauthenticated users. In security-enabled mode, message bus credentials are supposed to be kept in the EdgeX secret store and require authentication to access. This vulnerability bypasses the access controls on message bus credentials when running in security-enabled mode. (No credentials are required when running in security-disabled mode.) As a result, attackers could intercept data or inject fake data into the EdgeX message bus
- Additional bug fixes (these fixes were already fixed in Kamakura, but were also fixed in this Jakarta patch given the need to create a patch release to address the CVE):
See the Jakarta Issue project board for more details.
SDK Dot Releases
The following SDKs were also released as part of this patch release. Please note that device and application functions SDKs can and do release minor versions independently.
- Go SDK, DS: 2.1.1
- App Functions SDK: 2.1.1
Device and Application Services
These services where released with the patch release. Please note that device and application services can and do release minor versions independently.
- device-snmp-go v2.1.1
- device-modbus-go v2.1.1
- device-mqtt-go v2.1.1
- device-gpio v2.1.1
- device-virtual-go v2.1.1
- device-rest-go v2.1.1
- app-service-configurable v2.1.1
- app-rfid-llrp-inventory v2.1.1