Technical Alert #6: Security issue in JavaScript dependencies & delayed shard replication problem - ArangoDB

Sign up for ArangoDB Cloud

Before signing up, please accept our terms & conditions and privacy policy.

What to expect after you signup
You can try out ArangoDB Cloud FREE for 14 days. No credit card required and you are not obligated to keep using ArangoDB Cloud.

At the end of your free trial, enter your credit card details to continue using ArangoDB Cloud.

If you decide that ArangoDB Cloud is not (yet) for you, you can simply leave and come back later.

Technical Alert #6: Security issue in JavaScript dependencies & delayed shard replication problem

Technical Alert #6: Security issue in JavaScript dependencies & delayed shard replication problem

On Thursday, June 15th, we identified two critical issues in our releases of ArangoDB, affecting all versions up to and including 3.6.14 and 3.7.12:

  • A security-relevant problem in our NPM dependencies (all deployment types)
  • A rare problem with the sync protocol, which leads to followers lagging behind in synchronization over longer periods (cluster deployments only)

Please read below upgrade notes carefully and upgrade affected deployments!

Issue Description

A security issue was discovered in one of the JavaScript libraries that are shipped with and used by ArangoDB. The dependency requires an update.

The synchronous replication protocol used in cluster deployments has a flaw that can cause follower shards to lag behind the leader shards for extended periods of time, without detecting that the synchronization is delayed. While uncommon to occur, it can lead to inconsistencies between replicas that may cause follow-up issues.

Issue Resolution

Both issues are fixed in versions 3.6.15, 3.7.13, and 3.8.0.

It is important that you upgrade to the respective bugfix version based on your current version:

  • Upgrade from 3.6.x to 3.6.15
  • Upgrade from 3.7.x to 3.7.13

Do not upgrade from your current version to a release older than the above-listed versions!

  • In the case of a manual cluster deployment upgrade, it is crucial that you set and keep the supervision in maintenance mode during the whole upgrade process.
  • In the case of an ArangoDB Starter cluster deployment, make sure to use at least version 0.15.0-1 of the starter.
  • In the case of a Kubernetes-operated cluster, make sure to use at least version 1.2.0 of kube-arangodb.

Additional Questions

In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.

Learn More About Graph Databases

Read our latest Graph and Beyond  white paper to gain insights into how ArangoDB graph databases can support many use cases.
DOWNLOAD NOW!
close-link
Click Me