StackStorm 2.9.3/2.10.3

March 8, 2019
By Matt Stone

In the last couple of weeks StackStorm has published back-to-back releases. 2.10.2 is a traditional patch release from StackStorm, and you’ll find some of the highlights below. 2.10.3 and 2.9.3; however, are releases to address CVE-2019-9580. I want to thank Barak Tawily and Anna Tsibulskaya: the researchers who discovered and submitted a patch for the issue.

The issue found by Barak and Anna is an improper handling of CORS headers. Specifically what the StackStorm API returned for Access-Control-Allow-Origin. Prior to 2.10.3/2.9.3, if the origin of the request was unknown, we would return null. As Mozilla’s documentation will show, and client behavior will back up, null can result in a successful request from an unknown origin in some clients. Allowing the possibility of XSS style attacks against the StackStorm API. The fix for this is relatively straightforward, and, as of 2.10.3/2.9.3, if the origin is unknown StackStorm will return the first valid origin in the Access-Control-Allow-Origin header.

Thanks again to Barak and Anna for the report, and if you are a researcher or user that discovers a security issue please reach out to moc.mrotskcatsnull@ofni.

Now back to our regularly scheduled release blog.

Our latest release continues StackStorm on its journey to 3.0, and has a plethora of bug and performance fixes. We continue to bring Orquesta closer to GA, and the community has been an great asset both reporting new issues as well as providing new feature requests. Some of the release highlights include:

  • Add support for various new SSL / TLS related config options to the messaging section in st2.conf config file.
  • Metrics instrumentation for the st2notifier service
  • Fix datastore value encryption and make sure it also works correctly for unicode (non-ascii) values.
  • Moved the lock from concurrency policies into the scheduler to fix a race condition when there are multiple scheduler instances scheduling execution for action with concurrency policies.

As always, you can check the release notes for the complete list of changes. We’ll see you again soon for 3.0.