On this page 
Technical advisories report major issues with CockroachDB or the Cockroach Cloud platform that may impact security or stability in production environments.
Users are invited to evaluate advisories and consider the recommended mitigation actions independently from their version upgrade schedule.
| Advisory | Summary | Affected versions | Date |
|---|---|---|---|
| A-99796 | After upgrading to CockroachDB v22.2.0-v22.2.7, a bug could cause primary index corruption when an ALTER TABLE..ADD COLUMN statement executes concurrently with an UPDATE or INSERT command, and the schema change fails and is rolled back. | v22.2.0 to v22.2.7 | April 17, 2023 |
| A-99049 | Non-admin SQL users with an authenticated HTTP session could download statement diagnostic bundles given a bundle URL from the DB Console or SQL shell with a valid HTTP session cookie. | v21.2.x, v22.1.0 to v22.1.16, v22.2.0 to v22.2.6 | March 29, 2023 |
| A-98779 | A restore job can potentially skip some data files upon resumption of an in-progress RESTORE, which could lead to missing rows after the job succeeds. |
v22.2.6 | March 29, 2023 |
| A-97932 | The SCRAM protocol had a high default hash count causing connection latency spikes for clients running on limited CPU. | v22.2.0 to v22.2.6 | March 29, 2023 |
| A-97090 | Queries planned with a zigzag join could produce incorrect results if the two indexes used for the join had a matching suffix of index key columns where the direction was different between the two indexes. | v19.1 to v22.1.15, v22.2.0 to v22.2.5 | March 6, 2023 |
| A-96924 | When executing ALTER TABLE DROP COLUMN of a column used in a partial index, all DML statements referencing the table fail with an error during the delete-only phase. | v20.2.0 to v22.1.15, v22.2.0-v22.2.5 | March 6, 2023 |
| A-93398 | Altering a non-empty table to add a column with a DEFAULT expression in which the type of the expression did not match the type of the new column could cause the column to become corrupted. |
v22.2.0-alpha.1 to v22.2.3 | March 1, 2023 |
| A-97178 | Clusters that are upgraded to v22.2.4 when a previous upgrade to v22.2.x has not been finalized exhibit a bug that prevents non-admin users from connecting to the cluster. | v22.2.4 | February 16, 2023 |
| A-96465 | The global NOSQLLOGIN privilege does not restrict SQL access as it should. | v22.2.0-v22.2.3 | February 6, 2023 |
| A-96029 | CockroachDB may display higher than expected values for histogram metrics when calculating quantiles. | v22.2.0 - v22.2.3 | January 27, 2023 |
| C20230118 | CockroachDB Cloud users with the Developer role could perform SQL admin-like operations using a specific internal DB Console API. | CockroachDB Cloud from November 2022 - January 2023 | January 18, 2023 |
| A-93314 | CockroachDB crashes when a user-defined function is created using any implicit record type which contains a column of user-defined ENUM type as the function’s parameter type or return type. | v22.2.0 and v22.2.1 | January 4, 2023 |
| A-90146 | Changefeeds using the initial_scan='only' or schema_change_policy='stop' options may incorrectly complete with a successful status under certain circumstances. | v22.1.6 to v22.1.9 | December 20, 2022 |
| A-88042 | A RESTORE of an incremental backup may include rows that should not be restored, in a narrow set of circumstances relating to an ongoing IMPORT INTO job. |
v22.1.0 to v22.1.8 and v21.2.0 to v21.2.16 | October 24, 2022 |
| A-88993 | A query with ORDER BY and LIMIT clauses could return incorrect results if it scanned a multi-column index containing the ORDER BY columns, and a prefix of the index columns was held fixed to two or more constant values by the query filter or schema. |
v22.1.0 to v22.1.8 | October 17, 2022 |
| A-88047 | Querying a REGIONAL BY ROW or partitioned multi-region table could produce incorrect results if the query has a LIMIT of less than 100,000 and uses an inverted index. |
v22.1.0 to v22.1.7 | September 29, 2022 |
| A-84144 | Multi-region tables whose locality has been altered to REGIONAL BY ROW are at risk of being corrupted |
v22.1.0 to v22.1.3 | July 19, 2022 |
| A-82576 | Adding a column to a table which references a sequence, or creating a table with columns referencing sequences, adds an incomplete back-reference to the sequence metadata. | v22.1.0 to v22.1.2 | July 18, 2022 |
| A-82079 | If a CREATE MATERIALIZED VIEW statement fails, all objects referenced in its SELECT query will be unusable. |
v21.2.0 to v21.2.12, v22.1.0 | July 18, 2022 |
| A-81448 | Secondary indexes containing columns that are not null, have a volatile default expression, and are present in one or more secondary indexes will have inconsistent values relative to the primary index, which can lead to incorrect query results. | v21.1.x, v21.2.0 to v21.2.12, v22.1.0 | June 28, 2022 |
| A-81968 | Left outer joins and correlated subqueries can produce incorrect results. | v22.1.0 | June 6, 2022 |
| A-82309 | During or after an upgrade from CockroachDB v21.2.x to v22.1.0, existing changefeeds will stop emitting data. | v22.1.0-alpha.1 to v22.1.0 | June 3, 2022 |
| A-81315 | Prepared SELECT queries that filter a column with a constant casted to the wrong type fail to return the expected results |
v21.2.0 to v21.2.10, v22.1.0-alpha.1 to v22.1.0 | May 23, 2022 |
| A-79066 | Data key rotation is inadvertently disabled if the store key hasn't changed since the last node start | All clusters with encryption-at-rest enabled running versions of CockroachDB v20.2.x, v21.1.0 to v21.1.18, and v21.2.0 to v21.2.9. | May 2, 2022 |
| A-79384 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.17, v21.2.0 to v21.2.8, v22.1.0-alpha.1 to v22.1.0-beta.1 | April 14, 2022 |
| A-79281 | Importing duplicate keys can cause violations of UNIQUE constraints | v21.2.0 to v21.2.7, 22.1.0-alpha.1-22.1.0-alpha.5, v22.1.0-beta.1. | April 12, 2022 |
| A-78681 | The optimizer has been found to create logically incorrect query plans in some cases. | v21.1.0 to v21.1.16, v21.2.0 to v21.1.7, 22.1.0-alpha.1-22.1.0-alpha.5 | April 11, 2022 |
| A-76522 | The optimizer can omit ON conditions of joins in query plans, causing incorrect results. | v20.2.0 to v20.2.19, v21.1.0 to v21.1.15, v21.2.0 to v21.2.6 | March 9, 2022 |
| A-75758 | Users without the appropriate permissions may cancel any other users' sessions from the DB Console | v20.2.0 to v20.2.18, v21.1.0 to v21.1.13, v21.2.0 to v21.2.4 | February 10, 2022 |
| A-74736 | Queries can miss rows in a primary or unique index that is being scanned, causing incorrect query results. | v21.2.0 to v21.2.4 | February 7, 2022 |
| A-74385 | Partial indexes can be corrupted by UPDATE statements, resulting in incorrect query results for any queries that use the partial index |
v21.1 and v21.2 prior to v21.1.13 and v21.2.4 | January 6, 2022 |
| CVE-2021-44228 | No Cockroach Labs products or services are affected by the recent CVE-2021-44228 Apache Log4j vulnerability. | None | December 14, 2021 |
| A-73629 | Planning queries over partitioned tables with a DEFAULT partition in a PARTITION BY LIST clause could cause a spurious internal error |
v21.1 and v21.2 prior to v21.1.13 and v21.2.3 | December 14, 2021 |
| A-73024 | The optimizer could plan queries that use semi-joins against multi-region REGIONAL BY ROW tables incorrectly |
v21.2.0 | November 29, 2021 |
| A-72839 | Backups fail during upgrade process | v21.2.0 | November 18, 2021 |
| A-71553 | SQL statements that used secondary unique indexes that were created as a result of an ALTER PRIMARY KEY statement can return incorrect results. |
v20.2, v21.1 | November 8, 2021 |
| A-71655 | Zigzag joins could potentially produce incorrect results | v19.2, v20.1, v20.2, v21.1 | November 2, 2021 |
| A-71002 | CockroachDB v21.1.9 drops WHERE predicates from prepared statements in specific circumstances |
v21.1.9 | October 7, 2021 |
| A-69874 | CockroachDB v21.1.8 can not be downgraded | v21.1.8 | September 7, 2021 |
| A-68005 | sql.trace.txn.enable_threshold cluster setting causes crash loops |
v21.1.0 to v21.1.6 | August 20, 2021 |
| A-62842 | TRUNCATE TABLE during CREATE/ALTER INDEX can cause data corruption |
v20.2.0 to v20.2.8 | July 29, 2021 |
| A-64325 | Race condition between reads and replica removal | v20.1 and later | May 3, 2021 |
| A-63162 | Invalid incremental backups under certain circumstances | v19.1.0 to v19.1.11, v19.2.0 to v19.2.12, v20.1.0 to v20.1.14, v20.2.0 to v20.2.7 | April 30, 2021 |
| A-58932 | HTTP requests can cause full-cluster denial of service (DoS) | v19.2.0 to v19.2.11, v20.1.0 to v20.1.10, v20.2.0 to v20.2.3 | February 2, 2021 |
| A-56116 | Incorrect timezone calculations with "slim" zoneinfo format | All | October 29, 2020 |
| A-54418 | Incorrect behavior with large batch UPSERTs |
v20.1.4, v20.1.5 | September 24, 2020 |
| A-50587 | TRUNCATE prevents table renaming |
v19.1.0 to v19.1.10, v19.2.0 to v19.2.8 | July 6, 2020 |
| A-48860 | Data corruption/loss issue with snapshots and delete range | v2.1.0 to v2.1.9, v19.1.0 to v19.1.8, v19.2.0 to v19.2.6 | May 20, 2020 |
| A-44348 | Data leak in statement details | v2.1.0 to v2.1.11, v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44299 | Schema changes may cause cluster unavailability | v19.1.0 to v19.1.7, v19.2.0 to v19.2.3 | February 12, 2020 |
| A-44166 | SHOW JOBS and Jobs page can endanger cluster stability |
v19.2.0 to v19.2.2 | February 12, 2020 |
| A-43870 | HTTP authentication for non-Enterprise users | v2.1.10-onward, v19.1.6-onward, v19.2.2 | January 22, 2020 |
| A-42567 | HTTP endpoint vulnerability | v2.1.0 to v2.1.8, v19.1.0 to v19.1.5, v19.2.0 to v19.2.1 | January 22, 2020 |
| A-30821 | Authentication bypass for internal RPCs | v1.1.0 to v1.1.8, v2.0.0 to v2.0.4 | October 1, 2018 |
Was this helpful?
