StackStorm v3.6.0 Released

December 16, 2021

by Marcel Weinberg and Aaron Jonen

The new maintenance and security update v3.6.0 has been released!

StackStorm v3.6.0 comes with an important security fix and great improvements for developers and users.

See below, for further information on what’s included in the release.

Security fix – CVE-2021-44657

In StackStorm versions prior to 3.6.0, the Jinja interpreter was not run in sandbox mode and thus allows execution of unsafe system commands by the st2 users. Updated StackStorm 3.6.0 relies on Jinja sandboxed environment, so that any templates that attempt to access insecure code will be rejected. In order to exploit the vulnerability the attacker must be logged to the stackstorm instance (CLI/API/Web UI/Workflows). 

The assigned CVE ID is CVE-2021-44657. 

If you are a researcher or user that discovers a security issue, we welcome you to send us a report. See https://stackstorm.com/security/ for more info.

Service configuration

Previously users needed to edit systemd unit files for each service to update the IP and port. The static .socket systemd units in deb and rpm packages have been replaced with a python-based generator for st2api, st2auth and st2stream. So st2.conf is now the only place to configure the host and port for the st2api, st2auth and st2stream listeners.

Installers

There is a significant change on the bash installer. Previous releases used the operating systems package repository to install RabbitMQ. As of StackStorm v3.6.0 the installer will always install the latest stable RabbitMQ version from the official RabbitMQ repositories

CLI & API & UI Changes And Improvements

The security when adding secrets to the kv store has been improved. Now it is possible to add new values to the KV store via the CLI without leaking them to the shell history. To achieve this the user will be prompted for the value if it’s not already provided.

The new CLI argument --remove-files or just -r extends the functionality of the st2 action delete <pack>.<action> command and deletes the action database entry along with the corresponding files from disk.

The API action DELETE method now supports {"remove_files": true} in the JSON body to delete the database entry along with the files. The default behaviour for both is to keep the files on disk. Therefore this improvement does not come with a breaking change.

In addition there is a new option to delete an action in the Web UI, which will delete from the database and optionally from disk as well.

The --python3 flag for the st2client was completely removed now.

StackStorm Code Profiling And Debugging

Two new flags to improve the developer experience have been added to all services. --enable-profiler enables cProfiler based profiler for the service and dumps the profiling data to a file on process exit. --enable-eventlet-blocking-detection enables eventlet long operation / blocked main loop logic detection and throws an error if a particular code blocks longer than a specific duration in seconds.

Both flags should never be used in production, but only in development environments or similar when profiling or debugging code.

Other Changes

Additional changes include:

  • Minimum TTL on garbage collection for action executions and trigger instances has been reduced from 7 days to 1 day.
  • The MongoDB client does not use the deprecated isMaster command any longer. This one has been replaced by ping.
  • update_executions() is now atomic by protecting the update with a coordination lock. This improves the reliability of the execution status output especially for the workflows.
  • Actionrunners now stop the Kombu consumer thread. This addresses a bug where unhealthy actionrunner pods picked up actions from the queue while they were not able to process them. This improvement ensures that only healthy and running actionrunners or actionrunner pods pick up requested actions from the queue. 

Find the full StackStorm/st2 changelog for v3.6.0 here.

Special Thanks

Thanks to Tomaz Muraus for the new flags that will support us in profiling, debugging and improving StackStorm.

Special thanks to Amanda McGuinness of intive for leading the previous Release v3.5.0 and familiarizing me with the release process, her guidance and her efforts improving the installers in various places.

Thanks to Aaron Jonen for being the assistant release manager and supporting me during the release process. Thanks to Eugen and Jacob Floyd for their guidance and assisting me whenever I had any questions.

We would like to thank everyone who has contributed towards this release. All the improvements would not have been possible without the numerous contributions of our community via Bug reports, feature requests, Slack, in GitHub Discussions and of course in actual code.

P.S.

We invite everyone to join the StackStorm community in Slack and Github  to contribute to the future development of StackStorm. Every contribution, no matter if it’s a question, an idea for an improvement, a feature or fix to the code or documentation or use-cases and experience shared with the community is highly appreciated!