Security Updates in Event Store 23.10.0
EventStoreDB 23.10.0 builds on the security changes introduced in 23.6.0. The security highlights in this version are:
- Allow using a Wildcard for CertificateReservedCommonName
- Default Admin and Ops passwords
- Disable Anonymous Access by default
- FIPS commercial plugin
Check out the Release Notes for 23.10.0 for more information about the release, or the Upgrade Guide for upgrade instructions and breaking changes.
The full changelog is available and for upgrade assistance or support inquiries, please get in touch.
Allow Using a Wildcard for CertificateReservedCommonName
We’ve added support for using a wildcard in the CertificateReservedCommonName option for the cluster.
Previously, you had to use the same common name for all nodes in the cluster or generate a wildcard certificate.
Now you can have non-wildcard certificates for each node in the cluster (e.g, node1.mydomain.com, node2.mydomain.com, node3.mydomain.com) and use a wildcard for the CertificateReservedCommonName to match all of them (e.g. *.mydomain.com)
The CertificateReservedCommonName now defaults to the common name of the node certificate. So, you now don’t need to specify this option unless you are using the wildcard mentioned above.
Default Admin and Ops passwords
We want to eventually remove the default password changeit because having a known default password can leave EventStore vulnerable if the admin and ops passwords aren’t updated.
As such, we have added new options to set the default admin and ops passwords on the first run of EventStore. You can do this by setting the EVENTSTORE_DEFAULT_ADMIN_PASSWORD and EVENTSTORE_DEFAULT_OPS_PASSWORD environment variables.
These settings won’t affect a database that has already been created.
In a future version, we will be removing the changeit default password and require a default password to be configured at startup.
These new options can only be set by environment variables so that the passwords aren’t saved in plaintext in config files.
Disable Anonymous Access by Default
Historically, anonymous users with network access have been allowed to read/write streams that do not have access control lists. Anonymous access has also been available to the /stats, /info, and other HTTP endpoints.
Anonymous access is now disabled by default, except for the /info and /ping endpoints.
Gossip is also still anonymous by default while we update our supported clients to use authenticated gossip.
If you need to re-enable anonymous access, you can do this with the new AllowAnonymousEndpointAccess and AllowAnonymousStreamAccess options.
Check the Anonymous Access to Endpoints documentation for more options.
EventStoreDB Commercial version is now FIPS compliant
There is now a commercial plugin to allow EventStoreDB to run on a FIPS-compliant system. You can find instructions on how to download and use this plugin on the commercial downloads site.
We have also updated our certificate generation tools to create certificates that work on FIPS systems to make testing easier.
The Commercial version of EventStoreDB and the commercial downloads site are available to Event Store Support customers. If you would like to find out more, please get in touch.
Resources and feedback
Issues or questions? Open a GitHub issue, join our Discord Server, or post on our forum.