Service mesh Istio has issued two security updates after four vulnerabilities were found in the Envoy proxy. It’s recommended that you upgrade to versions 1.5.7 and 1.6.4, although it takes a bit of manual reconfiguration to be completely safe.
The security issues include three high severity bugs ( with a CVSS score of 7.0) and one medium (5.3 CVSS score) severity flaw affecting all installations running Istio 1.5 to 1.5.6 and 1.6 to 1.6.3.
The first high severity bug is CVE-2020-12603, which an attacker could use to have Envoy consume “excessive amounts of memory” when proxying HTTP/2 requests or responses for “a specially crafted packet”.
CVE-2020-12605, another vulnerability fixed by the releases, causes a similar issue but reacts to “specially crafted HTTP/1.1 packets”. With a CVSS score of 5.3 CVE-2020-12604 is less severe, though it can also lead to increased memory usage and is therefore worth treating.
The vulnerability that needs a little bit of extra work to remediate is CVE-2020-8663. When not taken care of, attackers could use the bug to cause Envoy to exhaust file descriptors when accepting too many connections.
To prevent that, limits at the ingress gateway have to be configured, which can only be done by creating a config map and setting its global_downstream_max_connections to the number of concurrent connections needed. Once that’s done, a gateway patch has to be installed and applied to make sure the new configuration is used.
More details on the vulnerabilities and their mitigations can be found in an Istio security bulletin.
Istio was launched in 2017 by Google, IBM, and Lyft as a way of controlling how microservices share information. It uses Envoy for its data plane, which makes it susceptible to security issues in the proxy. Istio is meant to be usable on a variety of platforms and works well with other components in the cloud-native, which is why it is relatively well-known and widely used. Companies using it in production are said to include streaming service Hulu and food delivery company HelloFresh.