TSB Log4j Security Announcement

Summary

A critical vulnerability (CVE-2021-44228, CVSS score 10) was identified in the Java logging library Apache Log4j 2. Apache Log4j2 2.14.1 and below are susceptible to a remote code execution vulnerability where a remote attacker can leverage this vulnerability to take full control of a vulnerable machine.

Apache Log4j is used in many Java-based applications, making this vulnerability potentially affecting lots of organizations. As we continue to gain a deeper understanding of the impact of this threat, we will publish technical information to help you detect, investigate, and mitigate attacks. We will provide updates with more information and protection details as they become available.

Update at 2021-12-14: New, related CVE-2021-45046 has been disclosed and mitigations are included in this post.

CVE Fixes, Istio, Security, Tetrate

Istio Security Release: 1.6.8 and 1.5.9

The Istio community has released a fix for a recently discovered vulnerability CVE-2020-16844. The vulnerability was classed as MEDIUM severity, with a CVSS score of 6.8.

CVE Fixes, Envoy Proxy & GetEnvoy, Security

Envoy and Istio security releases – June 2020

Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.

The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.

To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.

Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.

CVE Fixes, Envoy Proxy & GetEnvoy, Istio, Open Source, Security

Upgrade: Istio and Envoy CVE security fixes

Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.

CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.

CVE Fixes, Envoy Proxy & GetEnvoy, Security

Envoy CVE security fixes for GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.