Temporal has been added to the CVE Program as a CVE Numbering Authority (CNA). This is a great milestone for our team and reflects our commitment to security and transparency. As an organization, we are now able to clearly communicate specific issues regarding our software. If users who self-host Temporal scan for known vulnerabilities, they will now receive alerts about known issues and can determine what they need to do to secure their Temporal clusters.
CVE stands for “Common Vulnerability and Exposure,” but most people know it as a series of characters representing a security issue. The security issues that earn a CVE number can range from vulnerabilities that impact millions of organizations to those that impact only a small number of users under specific circumstances. You might’ve heard of the OpenSSL “Heartbleed” vulnerability first reported back in 2014 (CVE-2014-0160), or the Janet Jackson music video that can cause hard drives to crash (CVE-2022-38392).
A major factor in our decision to become a CNA was a report earlier this year from our friends at Datadog. Folks from that team discovered and reported an issue in which potentially impacted users self-hosting Temporal Server. The issue dealt with namespace protections enforced by Temporal Server, which could be circumvented under certain conditions due to the default configuration not enforcing these checks. An attacker would have to create their own task token with information about the target namespace as well as information from a workflow’s history to create the token. However, once the token was created, it could be used to make some disruptive API calls to the target namespace. We have issued CVE-2023-3485 to track this vulnerability. There have been no reports of this being exploited. Temporal Cloud, our SaaS offering of Temporal Server, was not affected. This insecure default configuration was remedied in Temporal version 1.20; although newer versions of Temporal include many performance and security updates, and upgrading is our recommendation, this vulnerability can be prevented in prior versions of Temporal by setting the dynamic configuration option frontend.enableTokenNamespaceEnforcement to true (available in version 1.9.1 and later).
Software is complex, and balancing backward compatibility with speed is a difficult task. Building software without vulnerabilities is ideal, but we also accept and understand this idealistic goal is not obtainable. (If you want to help us write great code, we’re hiring!) The next best thing is to be receptive to our community when we receive reports, and announce issues—such as this one—to our community. The industry-standard way of accomplishing this is via CVEs.
Thank you for trusting our software, and we hope this level of transparency helps you continue trusting us. Please reach out to us with any questions.