Avoid the Perfect Storm
When a critical CVE is discovered, quick action to remediate is paramount. Istio and Envoy have a robust track record of releasing timely CVE patches to users, but there’s a catch for enterprises running open source software in mission-critical apps: if your deployed version has aged out of the support window, there’s a good chance that—since CVE fixes are often not backported to unsupported versions—not only will you have to deploy the security patch, you’ll also need to upgrade to a supported version of the software that contains the patch at the same time. And, you have to do it fast. This is, shall we say, not best practice.
On the other hand, staying up to date with the latest supported versions can be time-consuming and expensive, adding considerable operational overhead. For Istio users, Tetrate has you covered. With Tetrate Istio Subscription, you get a hardened, FIPS-verified, 100% upstream Istio distro with an extended support window for CVEs so you don’t have to upgrade Istio as often to stay protected. In this article, we’ll cover the basics of Tetrate’s CVE protection for Istio and how it can help you maintain security while easing operational overhead.
Sign up for Tetrate’s Istio and Envoy CVE alerts and patches ›
What Is a CVE?
A CVE, or Common Vulnerabilities and Exposures, is a standardized identifier assigned to a known security vulnerability in software, including open-source software. The CVE system is maintained by the MITRE Corporation and provides a way to uniquely identify and track vulnerabilities across different information security databases and tools.
Here’s what the term comprises:
- Common: The vulnerabilities are identified using a common and standardized naming convention, allowing for consistency and ease of reference.
- Vulnerabilities: Refers to weaknesses or flaws in software that can be exploited by attackers to compromise the security of a system.
- Exposures: Implies situations where systems or software are vulnerable to security threats.
Each CVE entry includes a unique identifier number, a brief description of the vulnerability and references to additional information, such as the severity of the issue, affected software versions and potential solutions or mitigations.
For example, a CVE entry might look like this:
- CVE-2022-12345
- Description: Buffer overflow vulnerability in OpenSourceApp version 1.2.3 allows remote attackers to execute arbitrary code via a crafted input.
Security researchers, vendors and organizations use CVE identifiers to communicate about vulnerabilities, share information and coordinate efforts to address and mitigate security issues. When a vulnerability is discovered, it is assigned a CVE identifier and this identifier is referenced in security advisories, patches and other documentation related to the vulnerability.
The management of CVEs is crucial for ensuring the security of software products and the protection of users’ systems and data. Open source projects, being transparent and community-driven, often make use of CVE identifiers to track and communicate security issues, allowing users and developers to stay informed about potential risks and take appropriate actions to secure their systems. While there is no universal legal requirement that mandates software vendors to manage CVEs, it is considered a best practice and many responsible software vendors voluntarily adhere to it.
Here are some reasons why software vendors often choose to manage CVEs:
- Security Best Practices: Following security best practices is essential for building trust with users and maintaining a positive reputation. Actively addressing and disclosing security vulnerabilities demonstrates a commitment to security.
- Transparency and Accountability: Managing CVEs in a transparent manner helps vendors communicate openly with their user base. It fosters accountability and allows users to make informed decisions about their use of the software.
- Coordination with Security Community: CVE management facilitates coordination with the broader security community, including vulnerability researchers, other software vendors and security organizations. This collaborative approach helps ensure that vulnerabilities are addressed promptly and effectively.
- Customer Trust: Users, especially in enterprise and critical infrastructure settings, often require assurance that the software they use is actively maintained and secure. Managing CVEs contributes to building and maintaining trust with customers.
- Regulatory Compliance: In certain industries and regions, regulatory frameworks may require software vendors to address and disclose security vulnerabilities promptly. Adhering to CVE management practices helps vendors meet these compliance requirements.
- Risk Mitigation: Identifying and addressing security vulnerabilities promptly helps mitigate the risk of exploitation by malicious actors. Proactive management of CVEs can prevent or minimize potential security incidents.
CVE Protection with Tetrate Istio Subscription (TIS)
Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro (TID), a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready.
Tetrate understands the importance of security – this involves actively monitoring for security vulnerabilities, issuing patches or updates when necessary and communicating with customers about security-related issues. With Tetrate Istio Subscription (TIS), you get continuous and extended protection from Common Vulnerabilities and Exposures (CVEs) of open-source components. This means you can rest easy knowing your environment is safeguarded against potential threats.
Sign up for Tetrate’s Istio and Envoy CVE alerts and patches ›
When a critical CVE is discovered, you typically have to upgrade to the next minor version if the community support has expired to receive the CVE fix. However, with TIS, Tetrate will backport the CVE fix into the Istio version you have (up to 14 months from when the Istio was published), so you can remediate your CVEs and meet your CVE goals.
To learn more about CVEs and how they work, download the primer: What is CVE? Common Vulnerabilities and Exposure Explained.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo