Dapr Runtime v1.13.3

Dapr 1.13.3

This update includes bug fixes:

• App API token forwarded from caller to receiving app
• Upgrade Go version to 1.21.9
• Placement server fails to disseminate placement tables
• Restore dapr_http_server_response_count HTTP metric

App API token forwarded from caller to receiving app

Problem

The caller sidecar is appending the local app API token to the egress request, thereby leaking the API token protecting the local app to the foreign sidecar.

Impact

Receiving app can have access to the calling app's API token and make unauthorized calls directly to the originating app - in case it is listening on 0.0.0.0 or an accessible IP address.

Root cause

A pull request accidentally added this change.

Solution

Fixed the issue and added integration tests to verify and avoid future regressions.

Upgrade Go version to 1.21.9

Problem

Go version 1.21.8 or older are impacted by CVE-2023-45288.

Impact

See https://nvd.nist.gov/vuln/detail/CVE-2023-45288

Root cause

See https://nvd.nist.gov/vuln/detail/CVE-2023-45288

Solution

Update Go version used to build Dapr.

Placement server fails to disseminate placement tables

Problem

In case of an error during dissemination of placement table to a sidecar instance, the dissemination to the remaining instances do not complete. See #7031

Impact

Sidecars can run with an old copy of the dissemination table and cannot invoke the correct Dapr sidecar for a given actor instance.

Root cause

During shutdown, all publish calls to the application where being cancelled.

Solution

Check the return value of performTableDissemination for errors.

Restore dapr_http_server_response_count HTTP metric

Problem

An existing metrics was removed without deprecation notice, affecting users that relied on it. See #7642

Impact

Users did not have this specific metric available anymore, potentially impacting their alerts and monitoring.

Root cause

Metric removed without deprecation notice.

Solution

Added the metric back.