Stratora v2.1.10 -- Agent authentication and rollout improvements
Stratora 2.1.10 is available. This release closes a security gap in agent communication and ships a set of operational improvements for escalation teams, voice alerts, and contact management.
Security: agent endpoint authentication
Before 2.1.10, the agent heartbeat and status endpoints accepted requests from any caller that knew a node identifier. Node identifiers aren't designed to be confidential — they appear in admin URLs, notification payloads, and audit logs — so this was a real exposure. An attacker with a node ID could suppress reachability alerts for that node, modify its identity fields, or probe internal system endpoints.
2.1.10 requires agents to authenticate every heartbeat and status request. The fix uses authentication infrastructure that was already in place for the data ingestion path; the agent endpoints now use the same enforcement.
We recommend upgrading promptly.
Operational improvements
A few of the changes worth calling out:
Active-hours suppression on Time-Based escalation schedules. If an escalation team is configured with active hours (say, weekday business hours), alerts that fire outside those hours are now tracked but not dispatched. When the team's active window opens, dispatch resumes from the existing step — no rewind, no skip, no waking someone up at 3 AM for an alert that fired at 7 PM the night before.
Voice alerts no longer require outbound DNS. Voice notification calls now include their announcement text inline rather than fetching it from a callback URL. For on-premises deployments where the Stratora server doesn't have a public DNS name, this removes a class of voice-alert failures.
Hostnames pronounced character-by-character. Voice alerts now announce node identifiers as separate characters — "D-E-V-zero-one" rather than "devzeroone" — so the responder can write the name down on the first listen.
Per-rotation-member phone selection. Each member of an escalation team's on-call rotation can now have their preferred contact number set independently — primary, mobile, or an explicit override. The escalation engine picks the right number based on the member's preference rather than a team-wide default.
The full set of changes (24 customer-visible items including the security fix) is listed in the changelog.
Upgrading
This release contains a breaking change for agent communication. After upgrading the Stratora server to 2.1.10, agents running pre-2.1.10 builds will no longer be able to send heartbeats. They must be upgraded to 2.1.10 (Windows) or 1.2.2 (Linux) before they can resume reporting.
Recommended upgrade order:
- Install the new Stratora server (
Stratora-Server-2.1.10.msi). The server will start enforcing the new authentication requirement immediately. - Expect existing agents to start showing as "Agent heartbeat lost" in the Alerts view. This is the expected operational signal that enforcement is active.
- Roll out the new agent installers to your hosts:
- Windows:
StratoraAgent-2.1.10.msi - Linux (Debian/Ubuntu):
stratora-agent_1.2.2_amd64.deb - Linux (RHEL/Rocky/Alma):
stratora-agent-1.2.2-1.x86_64.rpm
- Windows:
- Hosts running both the Stratora collector and a standalone agent need both
StratoraCollector-2.1.10.msiandStratoraAgent-2.1.10.msi. - As each agent upgrades, its "Agent heartbeat lost" alert auto-resolves within one heartbeat cycle (about 10 seconds).
The 2.1.10 server includes a database migration that runs automatically on first startup and backfills internal data required by the new authentication check. No manual operator action is required for the migration itself.
Bundled components
- Stratora Server 2.1.10
- Stratora Agent 2.1.10 (Windows)
- Stratora Agent 1.2.2 (Linux)
- Stratora Collector 2.1.10
Downloads: github.com/Stratora-Platforms/stratora-releases/releases/tag/v2.1.10