EventStoreDB Security Release: 23.10, 22.10, 21.10 and 20.10 For CVE-2024-26133

Event Store Team  |  20 February 2024

The official EventStoreDB security release for versions 23.10, 22.10, 21.10, and 20.10 is now available.

The versions in this security release contain an important security fix for CVE-2024-26133. We strongly recommend following the action items below and that all EventStoreDB installations be upgraded to one of these versions.

For Event Store Cloud customers, follow the instructions in the cloud upgrade guide.

We are dedicated to ensuring all aspects of Event Store Ltd products are held to the highest security standards. We have therefore applied the fix to all affected LTS releases of EventStoreDB, including those that are currently out of support.  You can access and subscribe to any security alerts here.

This security fix is applied in the following versions (you can also read more about our versioning strategy):

Update ESDB 23.10.0 to ESDB 23.10.1
Update ESDB 22.10.x to ESDB 22.10.5
Update ESDB 21.10.x to ESDB 21.10.11
Update ESDB 20.10.x to ESDB 20.10.6

If you need help planning your upgrade or want to discuss support, please contact us.

EventStoreDB Vulnerability CVE-2024-26133

A vulnerability has been identified in the projections subsystem by the Event Store Ltd engineering team and has been fixed in this release.

Only database instances that use custom projections are affected by this vulnerability.

User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the $admins group can access system streams by default.

Recommended action

  1. Upgrade EventStoreDB: Event Store Cloud customers follow the instructions in the cloud upgrade guide. Otherwise follow the instructions in the standard upgrade guide.
  2. Reset the passwords for current and previous members of $admins and $ops groups.
  3. If a password was reused in any other system, reset it in those systems to a unique password to follow best practices.

Where can I get the packages?

Event Store Cloud customers should upgrade to the latest LTS package. For more details, see the cloud upgrade guide.

Downloads for versions 23.10 and 22.10 are available on our website.

The packages for all versions, including out-of-support versions, can also be installed using the following instructions:

Ubuntu 18.04/20.04/22.04 (via packagecloud)

For version 23.10:

curl -s https://packagecloud.io/install/repositories/EventStore/EventStore-OSS/script.deb.sh | sudo bash sudo apt-get install eventstore-oss=23.10.1

For version 22.10:

curl -s https://packagecloud.io/install/repositories/EventStore/EventStore-OSS/script.deb.sh | sudo bash sudo apt-get install eventstore-oss=22.10.5

For version 21.10:

curl -s https://packagecloud.io/install/repositories/EventStore/EventStore-OSS/script.deb.sh | sudo bash sudo apt-get install eventstore-oss=21.10.11

For version 20.10:

curl -s https://packagecloud.io/install/repositories/EventStore/EventStore-OSS/script.deb.sh | sudo bash sudo apt-get install eventstore-oss=20.10.6

Windows (via Chocolatey)

For version 23.10:

choco install eventstore-oss -version 23.10.1

For version 22.10:

choco install eventstore-oss -version 22.10.5

For version 21.10:

choco install eventstore-oss -version 21.10.11

For version 20.10:

choco install eventstore-oss -version 20.10.6

Docker (via docker hub)

For version 23.10:

docker pull eventstore/eventstore:23.10.1-jammy
docker pull eventstore/eventstore:23.10.1-bookworm-slim

For version 22.10:

docker pull eventstore/eventstore:22.10.5-jammy
docker pull eventstore/eventstore:22.10.5-bookworm-slim

For version 21.10:

docker pull eventstore/eventstore:21.10.11-bionic
docker pull eventstore/eventstore:21.10.11-buster-slim

For version 20.10:

docker pull eventstore/eventstore:20.10.6-bionic
docker pull eventstore/eventstore:20.10.6-buster-slim

Documentation and previous release notes

Providing Feedback

If you encounter any issues, please don’t hesitate to open an issue on GitHub if there isn’t one already.

We also have an official Discord Server for discussions, questions and for giving us feedback.

If you have any questions that aren't covered in these release notes or the docs, please feel free to reach out.