Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore!: upgrade minimum required aws-cdk-lib version to 2.80.0 #399

Merged
merged 1 commit into from
Aug 25, 2023
Merged

chore!: upgrade minimum required aws-cdk-lib version to 2.80.0 #399

merged 1 commit into from
Aug 25, 2023

Conversation

xiehan
Copy link
Member

@xiehan xiehan commented Aug 25, 2023
edited
Loading

Because of a security vulnerability in aws-cdk-lib prior to version 2.80.0, we are increasing the minimum required version to v2.80. See GHSA-rx28-r23p-2qc3 for the full CVE and impacts.

Who is affected?

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-*

Patches

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to aws/aws-cdk#25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
 ... 
 mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
});

References

aws/aws-cdk#25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via their vulnerability reporting page or directly via email to [email protected].

Closes #225

@xiehan xiehan added auto-approve A PR set to be auto-approved. security labels Aug 25, 2023
@xiehan xiehan requested a review from a team as a code owner August 25, 2023 18:42
@xiehan xiehan requested review from mutahhir and DanielMSchmidt and removed request for a team August 25, 2023 18:42
@xiehan xiehan merged commit 2ee99f1 into main Aug 25, 2023
@xiehan xiehan deleted the upgrade-aws-cdk-lib branch August 25, 2023 19:14
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for at least 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems related to this change, please open a new issue so we can investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@team-tf-cdk team-tf-cdk team-tf-cdk approved these changes

@mutahhir mutahhir Awaiting requested review from mutahhir mutahhir is a code owner automatically assigned from hashicorp/cdktf

@DanielMSchmidt DanielMSchmidt Awaiting requested review from DanielMSchmidt DanielMSchmidt is a code owner automatically assigned from hashicorp/cdktf

Assignees
No one assigned
Labels
auto-approve A PR set to be auto-approved. security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Increase the minimum supported version of aws-cdk-lib to 2.80.0
2 participants
@xiehan @team-tf-cdk