Announcing Tetrate Agent Operations Director for GenAI Runtime Visibility and Governance

Learn more
< Back

Envoy and Istio security releases – June 2020

Envoy%20and%20Istio%20security%20releases%20%E2%80%93%20June%202020

Istio and the Envoy proxy security team have announced releases that address HIGH severity CVE-2020-11080, with a CVSS score of 7.5.

The identified vulnerability relates to excessive CPU usage when processing HTTP/2 SETTINGS frames that would cause denial of service. A malicious attacker might repeatedly construct a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries), causing the CPU to spike at 100%.

To address the vulnerability, we encourage Envoy users to upgrade to Envoy proxy 1.12.4, 1.13.2 or 1.14.2. You can get the latest release from GetEnvoy.

Istio users should update to 1.5.5 or later for 1.5.x deployments and 1.6.2 or later for 1.6.x deployments.

Am I at Risk?

Not all Envoy users will be directly impacted by these vulnerabilities.

Users using Envoy as a HTTP/2 proxy communicating directly with untrusted peers are vulnerable. Deployments communicating only with trusted HTTP/2 peers (e.g. hosted behind Cloud HTTP load balancers) are not vulnerable, but we still recommend updating them. Users using Envoy as a TCP proxy and/or HTTP/1.1 proxy are not affected.

To see if you’re running a vulnerable version of Envoy, run envoy --version and if it indicates a base version of 1.12.3, 1.13.1, 1.14.1 or older then you are running a vulnerable version.

If you’re running GetEnvoy, upgrade GetEnvoy to last version and run: getenvoy verify

to see if your installed Envoy contains the security fixes. If yours doesn’t, please run: getenvoy fetch to get the latest build from us.

How do I mitigate?

The vulnerable Envoy versions can mitigate those vulnerabilities by disabling HTTP2 and allowing only HTTP/1.1 by setting http_connection_manager.codec_type to “HTTP1” and removing “h2” from common_tls_context.alpn_protocols.

Please note that while virtually all HTTP clients can use HTTP/1.1 and HTTP/2 interchangeably, proxying gRPC requires HTTP/2 and it won’t work when HTTP/2 is disabled.

For Istio mitigation, too, HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-ingress-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: HTTP1

How do I upgrade Envoy?

To get our latest release, run getenvoy fetch

You can also upgrade to 1.12.4, 1.13.2 or 1.14.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.12.4, v1.13.2 or v1.14.2 tag or 8b6ea4eaf95c7fa4822a35b25e6984fb2a718b49 @ master.

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

Have questions?

Reach out to the Envoy community on #envoy-cve if you have any further questions. Reach out to Tetrate at info@tetrate.io for more information on GetEnvoy or to tap our Envoy maintainers and Envoy security experts.

Envoy is a participant in Google’s Vulnerability Reward Program (VRP). This is open to all security researchers and will provide rewards for discovering vulnerabilities.

The Istio patch is available from www.istio.io.

Tetrate will continue to work in close coordination with Istio and the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

Product background Product background for tablets
New to service mesh?

Get up to speed with free online courses at Tetrate Academy and quickly learn Istio and Envoy.

Learn more
Using Kubernetes?

Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed via the Kubernetes Gateway API.

Learn more
Getting started with Istio?

Tetrate Istio Subscription (TIS) is the most reliable path to production, providing a complete solution for running Istio and Envoy securely in mission-critical environments. It includes:

  • Tetrate Istio Distro – A 100% upstream distribution of Istio and Envoy.
  • Compliance-ready – FIPS-verified and FedRAMP-ready for high-security needs.
  • Enterprise-grade support – The ONLY enterprise support for 100% upstream Istio, ensuring no vendor lock-in.
  • Learn more
    Need global visibility for Istio?

    TIS+ is a hosted Day 2 operations solution for Istio designed to streamline workflows for platform and support teams. It offers:

  • A global service dashboard
  • Multi-cluster visibility
  • Service topology visualization
  • Workspace-based access control
  • Learn more
    Decorative CTA background pattern background background
    Tetrate logo in the CTA section Tetrate logo in the CTA section for mobile

    Ready to enhance your
    network

    with more
    intelligence?