Technical advisories report major issues with CockroachDB that may impact security or stability in production environments.
Users are invited to evaluate advisories and consider the recommended mitigation actions independently from their version upgrade schedule.
| Advisory | Summary | Affected versions | Date |
|---|---|---|---|
| A-79066 | Data key rotation is inadvertently disabled if the store key hasn't changed since the last node start. | All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0-v21.1.18, and v21.2.0-v21.2.9. | May 2, 2022 |
| A-79384 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0-v21.1.17, v21.2.0-v21.2.8, v22.1.0-alpha.1-v22.1.0-beta.1 | April 14, 2022 |
| A-79281 | Importing duplicate keys can cause violations of UNIQUE constraints. | v21.2.0-v21.2.7, 22.1.0-alpha.1-22.1.0-alpha.5, v22.1.0-beta.1. | April 12, 2022 |
| A-78681 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0-v21.1.16, v21.2.0-v21.1.7, 22.1.0-alpha.1-22.1.0-alpha.5 | April 11, 2022 |
| A-76522 | The optimizer can omit ON conditions of joins in query plans, causing incorrect results. | v20.2.0-v20.2.19, v21.1.0-v21.1.15, v21.2.0-v21.2.6 | March 9, 2022 |
| A-75758 | Users without the appropriate permissions may cancel any other users' sessions from the DB Console. | v20.2.0-v20.2.18, v21.1.0-v21.1.13, v21.2.0-v21.2.4 | February 10, 2022 |
| A-74736 | Queries can miss rows in a primary or unique index that is being scanned, causing incorrect query results. | v21.2.0-v21.2.4 | February 7, 2022 |
| A-74385 | Partial indexes can be corrupted by UPDATE statements, resulting in incorrect query results for any queries that use the partial index |
v21.1 and v21.2 prior to v21.1.13 and v21.2.4 | January 6, 2022 |
| A-CVE-2021-44228 | No Cockroach Labs products or services are affected by the recent CVE-2021-44228 Apache Log4j vulnerability. | None | December 14, 2021 |
| A-73629 | Planning queries over partitioned tables with a DEFAULT partition in a PARTITION BY LIST clause could cause a spurious internal error |
v21.1 and v21.2 prior to v21.1.13 and v21.2.3 | December 14, 2021 |
| A-73024 | The optimizer could plan queries that use semi-joins against multi-region REGIONAL BY ROW tables incorrectly |
v21.2.0 | November 29, 2021 |
| A-72839 | Backups fail during upgrade process | v21.2.0 | November 18, 2021 |
| A-71553 | SQL statements that used secondary unique indexes that were created as a result of an ALTER PRIMARY KEY statement can return incorrect results. |
v20.2, v21.1 | November 8, 2021 |
| A-71655 | Zigzag joins could potentially produce incorrect results | v19.2, v20.1, v20.2, v21.1 | November 2, 2021 |
| A-71002 | CockroachDB v21.1.9 drops WHERE predicates from prepared statements in specific circumstances |
v21.1.9 | October 7, 2021 |
| A-69874 | CockroachDB v21.1.8 can not be downgraded | v21.1.8 | September 7, 2021 |
| A-68005 | sql.trace.txn.enable_threshold cluster setting causes crash loops |
v21.1.0-v21.1.6 | August 20, 2021 |
| A-62842 | TRUNCATE TABLE during CREATE/ALTER INDEX can cause data corruption |
v20.2.0-v20.2.8 | July 29, 2021 |
| A-64325 | Race condition between reads and replica removal | v20.1 and later | May 3, 2021 |
| A-63162 | Invalid incremental backups under certain circumstances | v19.1.0-v19.1.11, v19.2.0-v19.2.12, v20.1.0-v20.1.14, v20.2.0-v20.2.7 | April 30, 2021 |
| A-58932 | HTTP requests can cause full-cluster denial of service (DoS) | v19.2.0-v19.2.11, v20.1.0-v20.1.10, v20.2.0-v20.2.3 | February 2, 2021 |
| A-56116 | Incorrect timezone calculations with "slim" zoneinfo format | All | October 29, 2020 |
| A-54418 | Incorrect behavior with large batch UPSERTs |
v20.1.4, v20.1.5 | September 24, 2020 |
| A-50587 | TRUNCATE prevents table renaming |
v19.1.0-v19.1.10, v19.2.0-v19.2.8 | July 6, 2020 |
| A-48860 | Data corruption/loss issue with snapshots and delete range | v2.1.0-v2.1.9, v19.1.0-v19.1.8, v19.2.0-v19.2.6 | May 20, 2020 |
| A-44299 | Schema changes may cause cluster unavailability | v19.1.0-v19.1.7, v19.2.0-v19.2.3 | February 12, 2020 |
| A-44348 | Data leak in statement details | 2.1.0-2.1.11, v19.1.0-v19.1.7, v19.2.0-v19.2.3 | February 12, 2020 |
| A-44166 | SHOW JOBS and Jobs page can endanger cluster stability |
v19.2.0-v19.2.2 | February 12, 2020 |
| A-43870 | HTTP authentication for non-Enterprise users | v2.1.10-onward, v19.1.6-onward, v19.2.2 | January 22, 2020 |
| A-42567 | HTTP endpoint vulnerability | v2.1.0-v2.1.8, v19.1.0-v19.1.5, v19.2.0-v19.2.1 | January 22, 2020 |
| A-30821 | Authentication bypass for internal RPCs | v1.1.0-v1.1.8, v2.0.0-v2.0.4 | October 1, 2018 |
Yes
No