September 29, 2020 — The Envoy Product Security Team (PST) announced the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.
Istio founders and contributors Zack Butcher, Sven Mawson, and Liam White discussed all things Istio– covering the latest Istio 1.7 release, what’s to come in 1.8, and practical advice for end users of Istio and the Envoy proxy in Tetrate’s September Istio AMA session.
The release of Istio 1.7 was highly anticipated by the service mesh community and end-users because it addresses a problem that Tetrate was founded to solve: Bringing VMs into the mesh.
CNCF’s flagship conference, KubeCon + CloudNativeCon EU 2020, ran virtually this year (Aug. 17-20), bringing 4,100 attendees from 109 countries to its digital lobby and expo hall.
Istio is a service mesh that allows organizations to connect, secure and observe microservices. Since its inception three years ago, it’s risen to become one of Google’s most prominent open source projects, a top-three keyword at KubeCon, and a mature, production-ready offering supported by a robust community.
Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.
The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.
To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.
Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.
A crowd of 12,000 attended KubeCon San Diego this November, looking to the cloud native skies for the IT forecast. Temperature takers couldn’t fail to notice the maturation of service mesh technologies and the rise of Istio, the open source project that has now moved into production and is operating at scale.
Join NIST and Tetrate.io this January 2020 for an interactive conference, “Identity Management and Access Control in Multi-Cloud,” to be held at NIST headquarters in Gaithersburg, MD. We’ll be navigating the future of Zero Trust in multi-cloud environments through the strategic integration of identity management, access control, and service mesh architecture.
Going to KubeCon San Diego? Visit us at Booth SE65.
KubeCon is just 2 weeks away, and Tetrate is excited to be sending our engineers, including top Istio and Envoy contributors. Look for the newly released Istio roadmap, Istio Up and Running, by Lee Calcote and our own Zack Butcher. And stop by and ask us anything about bridging legacy with cloud native.
