Technical Alert #6: Security issue in JavaScript dependencies & delayed shard replication problem
On Thursday, June 15th, we identified two critical issues in our releases of ArangoDB, affecting all versions up to and including 3.6.14 and 3.7.12:
- A security-relevant problem in our NPM dependencies (all deployment types)
- A rare problem with the sync protocol, which leads to followers lagging behind in synchronization over longer periods (cluster deployments only)
Please read below upgrade notes carefully and upgrade affected deployments!
Issue Description
A security issue was discovered in one of the JavaScript libraries that are shipped with and used by ArangoDB. The dependency requires an update.
The synchronous replication protocol used in cluster deployments has a flaw that can cause follower shards to lag behind the leader shards for extended periods of time, without detecting that the synchronization is delayed. While uncommon to occur, it can lead to inconsistencies between replicas that may cause follow-up issues.
Issue Resolution
Both issues are fixed in versions 3.6.15, 3.7.13, and 3.8.0.
It is important that you upgrade to the respective bugfix version based on your current version:
- Upgrade from 3.6.x to 3.6.15
- Upgrade from 3.7.x to 3.7.13
Do not upgrade from your current version to a release older than the above-listed versions!
- In the case of a manual cluster deployment upgrade, it is crucial that you set and keep the supervision in maintenance mode during the whole upgrade process.
- In the case of an ArangoDB Starter cluster deployment, make sure to use at least version 0.15.0-1 of the starter.
- In the case of a Kubernetes-operated cluster, make sure to use at least version 1.2.0 of
kube-arangodb.
Additional Questions
In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.