Istio plugs up four new Envoy vulns

By Julia Schmidt
-
Istio plugs up four new Envoy vulns
Istio security

Service mesh Istio has issued two security updates after four vulnerabilities were found in the Envoy proxy. It’s recommended that you upgrade to versions 1.5.7 and 1.6.4, although it takes a bit of manual reconfiguration to be completely safe.

The security issues include three high severity bugs ( with a CVSS score of 7.0) and one medium (5.3 CVSS score) severity flaw affecting all installations running Istio 1.5 to 1.5.6 and 1.6 to 1.6.3.

The first high severity bug is CVE-2020-12603, which an attacker could use to have Envoy consume “excessive amounts of memory” when proxying HTTP/2 requests or responses for “a specially crafted packet”. 

CVE-2020-12605, another vulnerability fixed by the releases, causes a similar issue but reacts to “specially crafted HTTP/1.1 packets”. With a CVSS score of 5.3 CVE-2020-12604 is less severe, though it can also lead to increased memory usage and is therefore worth treating.

The vulnerability that needs a little bit of extra work to remediate is CVE-2020-8663. When not taken care of, attackers could use the bug to cause Envoy to exhaust file descriptors when accepting too many connections. 

To prevent that, limits at the ingress gateway have to be configured, which can only be done by creating a config map and setting its global_downstream_max_connections to the number of concurrent connections needed. Once that’s done, a gateway patch has to be installed and applied to make sure the new configuration is used.

More details on the vulnerabilities and their mitigations can be found in an Istio security bulletin.

Istio was launched in 2017 by Google, IBM, and Lyft as a way of controlling how microservices share information. It uses Envoy for its data plane, which makes it susceptible to security issues in the proxy. Istio is meant to be usable on a variety of platforms and works well with other components in the cloud-native, which is why it is relatively well-known and widely used. Companies using it in production are said to include streaming service Hulu and food delivery company HelloFresh.

Podman 5.0 released with native Mac hypervisor support, new features and breaking changes
Fermyon promises over 5000 WebAssembly applications on one Kubernetes node via new platform
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Kubecost 2.0 released as reports show persistent Kubernetes over-provisioning
Docker introduces Build Cloud for accelerated local development
Virtual Kubernetes lands on the Fly.io platform but there are compromises
Docker buys AtomicJar to integrate container-based test automation
Interview: Not much on Kubernetes at AWS re:Invent? More than it seemed, VP tells us
Ubuntu chiselled containers arrive for .NET – smaller, more secure, but beware 'sharp edges'
Microsoft releases .NET 8 with preview of Aspire cloud-ready stack to 'simplify cloud app complexity...
Docker introduces 'seems like magic' container debug tool and cloud-driven build service
Fermyon previews new spin on Serverless AI via Wasm