Boundary 0.14.0 release notes
GA date: October 11, 2023
Release notes provide an at-a-glance summary of key updates to new versions of Boundary. For a comprehensive list of product updates, improvements, and bug fixes refer to the changelog included with the Boundary code on GitHub.
We encourage you to upgrade to the latest release of Boundary to take advantage of continuing improvements, critical fixes, and new features.
New features
| Feature | Description |
|---|---|
| Boundary Desktop embedded terminal | An embedded terminal has been added to the Boundary Desktop client for convenience. Now you can use the CLI directly from within Boundary Desktop. Learn more: Install Boundary Desktop tutorial |
| LDAP authorization method | The LDAP auth method is no longer in beta, it is now fully supported. Administrators can now create, manage, and delete LDAP auth methods along with managed groups and accounts using the admin console UI. Learn more: Auth methods |
| Dynamic credential support for storage buckets HCP/ENT | You can now configure dynamic credentials for AWS S3 storage buckets using the Amazon Web Services (AWS) AssumeRole API. We recommend that you configure credentials using AssumeRole instead of access keys when possible.Learn more: Create a storage bucket |
| Remote pass-through commands for SSH | A new SSH flag, remote-command was introduced to the boundary connect ssh helper. It lets you run the specified commands on the remote-machine using pass-through arguments.Learn more: connect ssh command |
| New worker health metric | A new metric was added to the health endpoint to check the connection state of the worker and whether it can connect to an upstream controller. The result is automatically included in the response when you run the health endpoint. Learn more: Boundary health endpoints |
| Improved telemetry | Improved telemetry was added to Boundary. You can enable telemetry to gather information about your Boundary cluster. Learn more: events stanza |
| Valid principals for Vault SSH signed certificates (Added in version 0.14.2) | You can now add additional valid principals when you create a Vault SSH signed certificate credential library. The additional principals list the names for which the certificate is valid. Learn more: Vault SSH certificate credential library attributes |
| OIDC prompts (Added in version 0.14.3) | You can now use OIDC prompts to customize the authentication and authorization flow to suit your specific needs. For more information about the OIDC specification, refer to the OIDC authentication request documentation. Learn more: OIDC auth method attributes |
| API rate limiting (Added in version 0.14.3) | You can now configure rate limits on the controller API to help manage your system resources. Boundary supports separate configurable limits for each resource and action. Rate limiting is enabled by default. Learn more: API rate limiting |
Known issues and breaking changes
| Version | Issue | Description |
|---|---|---|
| 0.13.0+ | Rotation of AWS access and secret keys during a session results in stale recordings | In Boundary version 0.13.0+, when you rotate a storage bucket's secrets, any new sessions use the new credentials. However, previously established sessions continue to use the old credentials. As a best practice, administrators should rotate credentials in a phased manner, ensuring that all previously established sessions are completed before revoking the stale credentials. Otherwise, you may end up with recordings that aren't stored in the remote storage bucket, and are unable to be played back. |
| 0.13.0+ | Unsupported recovery workflow during worker failure | If a worker fails during a recording, there is no way to recover the recording. This could happen due to a network connectivity issue or because a worker is scaled down, for example. Learn more: Unsupported recovery workflow |
| 0.14.0 (Fixed in 0.14.1) | Go CVE-2023-39325 and Go CVE-2023-39326 | The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.3. Boundary was updated to use the new Go version in release 0.14.1, and the issue is resolved. Learn more: Go CVE-2023-39325: HTTP/2 rapid reset can cause excessive work in net/http Go CVE-2023-39326: A malicious HTTP sender can use chunk extensions Upgrade to the latest version of Boundary |
| 0.14.0 (Fixed in 0.14.3 and 0.13.5 HCP/ENT) | Go CVE-2023-39322 and Go CVE-2022-45285 | The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.5. Boundary was updated to use the new Go version in release 0.14.3, and the issue is resolved. Note that version 0.13.5 of HCP Boundary and Boundary Enterprise was also updated to use the new Go version. Learn more: Go CVE-2023-39322: QUIC connections do not set an upper bound on the amount of data buffered Go CVE-2022-45285: Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to insecure protocol Upgrade to the latest version of Boundary |
| 0.8.0 - 0.14.0 (Fixed in 0.14.4 and 0.13.6 ENT) | HCSEC-2024-02 | Boundary and Boundary Enterprise since version 0.8.0 are vulnerable to session hijacking through TLS certificate tampering. An attacker who has privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use or TOFU token may exploit the vulnerability. It allows the attacker to create a TLS certificate that hijacks an active session to gain access to the underlying service or application. The vulnerability, CVE-2024-1052, is fixed in Boundary version 0.15.0 and patched in Boundary Enterprise versions 0.13.6 and 0.14.4. Boundary Enterprise users should upgrade to Boundary Enterprise 0.14.4. Community users should evaluate the risk associated with this issue and consider upgrading to Boundary 0.15.0 or later. Learn more: HCSEC-2024-02: Boundary vulnerable to session hijacking through TLS certificate tampering Upgrade to the latest version of Boundary |
| 0.14.0 (Fixed in 0.14.5) | Go CVE-2024-24783, Go CVE-2024-24784, Go CVE-2024-24785, Go CVE-2024-24786, Go CVE-2023-45289, Go CVE-2023-45290 | The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.8. Boundary was updated to use the new Go version in release 0.14.5, and the issue is resolved. Learn more: CVE-2024-24783: Verify panics on certificates with an unknown public key algorithm in crypto/x509 CVE-2024-24784: Comments in display names are incorrectly handled in net/mail CVE-2024-24785: Errors returned from JSON marshaling may break template escaping in html/template CVE-2024-24786: Infinite loop in JSON unmarshaling in google.golang.org/protobuf CVE-2023-45289: Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http CVE-2023-45290: Memory exhaustion in multipart form parsing in net/textproto and net/http Upgrade to the latest version of Boundary |
| 0.14.0+ (Fixed in 0.15.3) | Cannot delete IAM access key resource | When you delete an AWS S3 storage bucket that had credential rotation enabled, Boundary cannot delete the associated IAM access key resource. This issue is fixed in version 0.15.3. Upgrade to the latest version of Boundary Learn more: Create a storage bucket |
| 0.14.0 (Fixed in 0.14.6) | Go CVE-2023-45288 | The version of Go that was used in Boundary release 0.14.0 contained security vulnerabilities. The vulnerabilities were fixed in Go version 1.21.9. Boundary was updated to use the new Go version in release 0.14.6, and the issue is resolved. Learn more: CVE-2023-45288: HTTP/2 CONTINUATION flood in net/http Upgrade to the latest version of Boundary |
Feature deprecations and EOL
| EOL | Description |
|---|---|
vault credential library subtype | As noted in the v0.12.0 release notes, the vault credential library subtype was renamed to vault-generic. The vault subtype is removed in this release, you must use vault-generic now.Learn more: Credential libraries |
status field | As noted in the v0.12.0 changelog, using the -format=json option with the CLI produced inconsistent results. The status field is removed in this release. The status_code field is now used for both successful requests and errors. |
| Default port value | As noted in the v0.12.0 release notes, targets now require a default port value. Previously, any ports that you defined as part of a host address were ignored, but allowed as part of the target definition. From this version on, if you define a port on a host address it results in an error. Learn more: Targets |
| Application credentials parameter | As noted in the v0.10.0 changelog, the target subcommands for application credentials were renamed to brokered credentials. The application credentials subcommands are removed in this release. You must use the brokered credential subcommands instead.Learn more: targets |