Announcing TEG 1.2—Enterprise support and FedRAMP-ready FIPS builds for Envoy Gateway 1.2

Learn more › close
Tetrate Enterprise ready service mesh
Get Demo
Pricing
Home

|

Blog

|

Envoy and Istio security releases – June 2020

Envoy and Istio security releases – June 2020

| Author: Tevah Platt

Service Mesh Architecture

Article content

 

Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.

The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.

To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.

Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.

Am I at Risk?

Not all Envoy users will be directly impacted by these vulnerabilities.

Users using Envoy as a HTTP/2 proxy communicating directly with untrusted peers are vulnerable. Deployments communicating only with trusted HTTP/2 peers (e.g. hosted behind Cloud HTTP load balancers) are not vulnerable, but we still recommend updating them. Users using Envoy as a TCP proxy and/or HTTP/1.1 proxy are not affected.

To see if you’re running a vulnerable version of Envoy, run envoy --version and if it indicates a base version of 1.12.3, 1.13.1, 1.14.1 or older then you are running a vulnerable version.

If you’re running GetEnvoy, upgrade GetEnvoy to last version and run: getenvoy verify

to see if your installed Envoy contains the security fixes. If yours doesn’t, please run: getenvoy fetch to get the latest build from us.

How do I mitigate?

The vulnerable Envoy versions can mitigate those vulnerabilities by disabling HTTP2 and allowing only HTTP/1.1 by setting http_connection_manager.codec_type to “HTTP1” and removing “h2” from common_tls_context.alpn_protocols.

Please note that while virtually all HTTP clients can use HTTP/1.1 and HTTP/2 interchangeably, proxying gRPC requires HTTP/2 and it won’t work when HTTP/2 is disabled.

For Istio mitigation, too, HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-ingress-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: HTTP1

How do I upgrade Envoy?

To get our latest release, run getenvoy fetch

You can also upgrade to 1.12.4, 1.13.2 or 1.14.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.12.4, v1.13.2 or v1.14.2 tag or 8b6ea4eaf95c7fa4822a35b25e6984fb2a718b49 @ master.

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

Have questions?

Reach out to the Envoy community on #envoy-cve if you have any further questions. Reach out to Tetrate at info@tetrate.io for more information on GetEnvoy or to tap our Envoy maintainers and Envoy security experts.

Envoy is a participant in Google’s Vulnerability Reward Program (VRP). This is open to all security researchers and will provide rewards for discovering vulnerabilities.

The Istio patch is available from www.istio.io.

Tetrate will continue to work in close coordination with Istio and the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

###

If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.

Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›

Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.

Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.

Get a Demo

Let's Get In Touch

For more information or a demo request, just drop us a message.

Contact Us