Announcing TEG 1.2—Enterprise support and FedRAMP-ready FIPS builds for Envoy Gateway 1.2

Learn more › close
Tetrate Enterprise ready service mesh
Get Demo
Pricing
Home

|

Blog

|

Istio and Envoy Security Advisories

Istio and Envoy Security Advisories

| Authors: Tetrate, Petr McAllister, Yaroslav Skopets and Tevah Platt

Service Mesh Architecture

Article content

Service Mesh Istio

September 29, 2020 — The Envoy Product Security Team (PST) announced  the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

Users are encouraged to apply the related patches to address the following CVEs:

  • CVE-2020-25017 (CVSS score 8.3, High) Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Also, Envoy’s setCopy() header map API does not replace all existing occurrences of a non-inline header. See the Envoy GitHub advisory and Istio advisory for more details.
  • CVE-2020-25018 (CVSS score 7.5, High) Envoy master after 2d69e30 may fail to parse request URL that requires host canonicalization. The use of Internationalized Domain Name (IDN) as the host component in a request URL triggers the URL parser library used by Envoy to do Punycode encoding (to convert Unicode characters to ASCII). Since the conversion data is not available, it fails the conversion, which could result in executing code in faulting address (segmentation fault). See the GitHub advisory for more details.

Am I at Risk?

Envoy versions 1.15 or earlier deployments are vulnerable to CVE-2020-25017. Run `envoy –version` and if it indicates a base version of 1.15.0, 1.14.4, 1.13.4, 1.12.6 or older you are running a vulnerable version.

For Istio users – the affected versions are:

  • 1.6 to 1.6.10
  • 1.7 to 1.7.2

How do I fix it?

The Envoy security team has announced the availability of Envoy versions 1.15.1, 1.14.5, 1.13.6, and 1.12.7 to address the incorrect handling of duplicate HTTP headers (CVE-2020-25017). Users are encouraged to upgrade to these versions to fix the issue.

Including the 3b5acb2 commit, pushed into the main branch on Sept. 29, 2020 at 12 PDT, is encouraged to fix CVE-2020-25017. The vulnerability is not included in any Envoy releases and will not affect end-users who deployed the official Envoy release.

Istio users should upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

If you’re a Tetrate Service Bridge customer, please review this issue with your Tetrate support contact if any changes in your environment are required.

This notice will be updated if further information becomes available for Envoy or Istio.

How do I patch?

Update to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 via your Envoy distribution or rebuild from the Envoy GitHub source at the 1.15.1, 1.14.5, 1.13.6, or 1.12.7 tag or HEAD @ master.

For v1.15.1:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.1

Docker images: docker pull envoyproxy/envoy:v1.15.1

Text release notes can be found here

Expect a followup email tomorrow with links to release notes and docs for 1.15.1; 

For v1.14.5:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.5

Docker images: docker pull envoyproxy/envoy:v1.14.5

Release notes: https://www.envoyproxy.io/docs/envoy/v1.14.5/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.14.5/

For v1.13.6:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.13.6

Docker images: docker pull envoyproxy/envoy:v1.13.6

Release notes: https://www.envoyproxy.io/docs/envoy/v1.13.6/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.13.6/

For v1.12.7:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.12.7

Docker images: docker pull envoyproxy/envoy:v1.12.7

Release notes: https://www.envoyproxy.io/docs/envoy/v1.12.7/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.12.7/

Tetrate will continue to work in close coordination with the Envoy security team. We support organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.

###

If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.

Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›

Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.

Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.

Get a Demo

Let's Get In Touch

For more information or a demo request, just drop us a message.

Contact Us