Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.
CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.
CVE-2020-8661 (CVSS score 7.5, High): Response flooding for HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests.
CVE-2020-8660 (CVSS score 5.3, Medium): TLS inspector bypass TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.
CVE-2020-8664 (CVSS score 5.3, Medium): Incorrect Access Control when using SDS with Combined Validation Context Using the same secret (e.g., trusted CA) across many resources together with the combined validation context could lead to failure to apply the “static” part of the validation context, even though it was visible in the active config dump.
CVE-2020-8659 and CVE-2020-8661 are the two high severity CVEs when Envoy is deployed to untrusted downstreams and/or upstreams. Essentially, if you’re receiving any traffic from an untrusted source, regardless of whether that traffic is fully valid or not, these bugs affect you. They can cause Envoy to crash, as well as eat up excessive amounts of memory/CPU.
CVE-2020-8660 and CVE-2020-8664 are affecting features heavily used in Istio. Specifically they allow for certain security restrictions to be bypassed, or incorrectly parsed, leading to incorrect behaviour. These would still show as being active inside of the configuration dump, but would not actually apply to incoming traffic.
The Envoy security releases are the first since the proxy adopted the stable release policy. The Envoy community will continue to release security updates against the last 2 stable releases or more going forward. Istio is impacted by the vulnerabilities because it uses Envoy to handle ingress and egress traffic between services.
Check the CVE list for updated details about the vulnerabilities and read the upgrade notes if you are jumping to the 1.4.x series of Istio, since some traffic and configuration changes were introduced.
Thank you to all people who discovered those vulnerabilities and contributed to the fixes. Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.
This article was written by Tetrate’s Lizan Zhou, Envoy maintainer, and Cynthia Coan, Envoy contributor.