(MEDIUM) v4.2.1 now available with a fix for worker API endpoints

[Alex Suraci]

Release notes: https://concourse-ci.org/download.html#v421

Affected versions: v4.0.0 - v4.2.0

A vulnerability was reported over the weekend affecting the worker API endpoints. It was fixed and shipped today as v4.2.1, shortly after today's v4.2.0 release.

The exploit allows any user (even a user not authorised for any team) to prune, land, and retire global (non-team-owned) workers. A couple other worker endpoints were also affected, though their impact is negligible (all they would do is accelerate the database GC lifecycle).

The exploit cannot be used to obtain access to any sensitive information. It can only be used to take workers out of commission (by transitioning them to landing/retiring state). Only 'stalled' workers can be pruned, so the impact of that endpoint is relatively low.

I would of course recommend anyone running v4.0.0+ to upgrade to v4.2.1. The impact is fairly low, but there are plenty of fixes you might want from v4.2.0 anyway.

Regards,

Alex