Service Mesh - Managing Service-to-Service
AWS, Envoy Proxy & GetEnvoy, Istio, Open Source, Service Mesh, Tetrate

451’s take on service mesh: The ‘Swiss Army Knife’ of modern software

Analysts Jean Atelsek and William Fellows of 451 Research give their take on the role of service mesh as a cloud-native enabler, calling it a potential “Swiss Army Knife of modern-day software, solving for the most vexing challenges of distributed microservices based applications.”


The role of service mesh as a cloud-native enabler is building fast

In a multi-cloud, hybrid IT architecture world, where applications are deployed as microservices, the use of service meshes is becoming an important (although not mandatory) component of cloud- native architecture. Early deployments of the technology – which promises network routing, security and configuration control for microservices-based applications – are largely based on open source code, with Envoy emerging as a de facto standard data plane.

Read More
CVE Fixes, Envoy Proxy & GetEnvoy, Security

Envoy CVE security fixes for GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

  • CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
  • CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.
Read More