istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cherrypick #11392. (#11397)

This commit is contained in:
Oliver Liu 2022-06-12 13:48:17 -07:00 committed by GitHub
parent 13495eb649
commit 0afa95518e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 144 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.spelling
View File

@ -295,6 +295,12 @@ CVE-2022-23606
CVE-2022-23635
CVE-2022-24726
CVE-2022-24921
CVE-2022-29224
CVE-2022-29225
CVE-2022-29226
CVE-2022-29227
CVE-2022-29228
CVE-2022-31045
CVEs
cves
cvss
@ -312,6 +318,7 @@ debuggability
decapsulated
declaratively
decompressor
decompressors
Delayering
Delucca
Demailly
@ -499,6 +506,7 @@ ISTIO-SECURITY-2022-001
ISTIO-SECURITY-2022-002
ISTIO-SECURITY-2022-003
ISTIO-SECURITY-2022-004
ISTIO-SECURITY-2022-005
istio-system
istio.io
istio.io.
@ -656,6 +664,7 @@ ns
NUL
NULs
Nurmamat
OAuth
OAuth2
oc
OCI-compliant
@ -804,6 +813,7 @@ Salesforce
sandboxed
sandboxing
sayin
Schaaf
schedulable
schemas
SDKs

2
content/en/docs/ops/integrations/prometheus/index.md
View File

@ -146,7 +146,7 @@ tls_config:
ca_file: /etc/prom-certs/root-cert.pem
cert_file: /etc/prom-certs/cert-chain.pem
key_file: /etc/prom-certs/key.pem
insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate
insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate
{{< /text >}}
## Best practices

9
content/en/docs/releases/supported-releases/index.md
View File

@ -77,8 +77,7 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
|------------------|-----------------------------------------------|
| 1.14.x | 1.14.0+ |
| 1.13.x | 1.13.2+ |
| 1.12.x | 1.12.5+ |
| 1.11.x | 1.11.8+ |
| 1.10 and earlier | None, all versions have known vulnerabilities |
| 1.14.x | 1.14.1+ |
| 1.13.x | 1.13.5+ |
| 1.12.x | 1.12.8+ |
| 1.11 and earlier | None, all versions have known vulnerabilities |

2
content/en/docs/setup/getting-started/snips.sh
View File

@ -26,7 +26,7 @@ curl -L https://istio.io/downloadIstio | sh -
}
snip_download_istio_download_2() {
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.0 TARGET_ARCH=x86_64 sh -
curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.14.1 TARGET_ARCH=x86_64 sh -
}
snip_download_istio_download_4() {

25
content/en/news/releases/1.12.x/announcing-1.12.8/index.md Normal file
View File

@ -0,0 +1,25 @@
---
title: Announcing Istio 1.12.8
linktitle: 1.12.8
subtitle: Patch Release
description: Istio 1.12.8 patch release.
publishdate: 2022-06-09
release: 1.12.8
aliases:
- /news/announcing-1.12.8
---
This release fixes the security vulnerabilities described in our June 9th post, [ISTIO-SECURITY-2022-005](/news/security/istio-security-2022-005). This release note describes whats different between Istio 1.12.7 and 1.12.8.
{{< relnote >}}
## Changes
- **Fixed** an issue where setting `PILOT_ENABLE_METADATA_EXCHANGE` to `false` does not remove the TCP MX filter.
([Issue #38520](https://github.com/istio/istio/issues/38520))
- **Fixed** an issue where cluster VIPs are not correct and a stale IP address exists after a multi-cluster service is deleted in one cluster. This would cause the DNS Proxy to return a stale IP for service resolution and thus cause a traffic outage.
([Issue #39039](https://github.com/istio/istio/issues/39039))
- **Fixed** an issue where `WorkloadEntry.Annotations` being `nil` would lead to an abnormal exit of istiod.
([Issue #39201](https://github.com/istio/istio/issues/39201))

27
content/en/news/releases/1.13.x/announcing-1.13.5/index.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Announcing Istio 1.13.5
linktitle: 1.13.5
subtitle: Patch Release
description: Istio 1.13.5 patch release.
publishdate: 2022-06-09
release: 1.13.5
aliases:
- /news/announcing-1.13.5
---
This release fixes the security vulnerabilities described in our June 9th post, [ISTIO-SECURITY-2022-005](/news/security/istio-security-2022-005). This release note describes whats different between Istio 1.13.4 and 1.13.5.
{{< relnote >}}
## Changes
- **Fixed** improper filtering of endpoints from East-West Gateway caused by `DestinationRule` TLS settings.
([Issue #38704](https://github.com/istio/istio/issues/38704))
- **Fixed** that running `istioctl verify-install` would fail with the `demo` profile.
- **Fixed** an issue where cluster VIPs are not correct and a stale IP address exists after a multi-cluster service is deleted in one cluster. This would cause the DNS Proxy to return a stale IP for service resolution and thus cause a traffic outage.
([Issue #39039](https://github.com/istio/istio/issues/39039))
- **Fixed** an issue where `WorkloadEntry.Annotations` being `nil` would lead to an abnormal exit of istiod.
([Issue #39201](https://github.com/istio/istio/issues/39201))

27
content/en/news/releases/1.14.x/announcing-1.14.1/index.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Announcing Istio 1.14.1
linktitle: 1.14.1
subtitle: Patch Release
description: Istio 1.14.1 patch release.
publishdate: 2022-06-09
release: 1.14.1
aliases:
- /news/announcing-1.14.1
---
This release fixes the security vulnerabilities described in our June 9th post, [ISTIO-SECURITY-2022-005](/news/security/istio-security-2022-005). This release note describes whats different between Istio 1.14.0 and 1.14.1.
{{< relnote >}}
## Changes
- **Fixed** improper filtering of endpoints from East-West Gateway caused by `DestinationRule` TLS settings.
([Issue #38704](https://github.com/istio/istio/issues/38704))
- **Fixed** that running `istioctl verify-install` would fail with the `demo` profile.
- **Fixed** an issue where cluster VIPs are not correct and a stale IP address exists after a multi-cluster service is deleted in one cluster. This would cause the DNS Proxy to return a stale IP for service resolution and thus cause a traffic outage.
([Issue #39039](https://github.com/istio/istio/issues/39039))
- **Fixed** an issue where `WorkloadEntry.Annotations` being `nil` would lead to an abnormal exit of istiod.
([Issue #39201](https://github.com/istio/istio/issues/39201))

48
content/en/news/security/istio-security-2022-005/index.md Normal file
View File

@ -0,0 +1,48 @@
---
title: ISTIO-SECURITY-2022-005
subtitle: Security Bulletin
description: Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.
cves: [CVE-2022-31045, CVE-2022-29225, CVE-2022-29224, CVE-2022-29226, CVE-2022-29228, CVE-2022-29227]
cvss: "7.5"
vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["All releases prior to 1.12.0", "1.12.0 to 1.12.7", "1.13.0 to 1.13.4", "1.14.0"]
publishdate: 2022-06-09
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
## CVE
### CVE-2022-31045
- [CVE-2022-31045](https://github.com/istio/istio/security/advisories/GHSA-xwx5-5c9g-x68x) (CVSS score 5.9, Medium): Memory access violation
Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access, resulting in undefined behavior or crashing.
### Envoy CVEs
These Envoy CVEs do not directly impact Istio features, but we will still include them in the patch releases for 1.12.8, 1.13.5 and 1.14.1.
- [CVE-2022-29225](https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh) (CVSS score 7.5, High): Decompressors can be zip bombed
Decompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the `decode/encodeBody`. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload.
- [CVE-2022-29224](https://github.com/envoyproxy/envoy/security/advisories/GHSA-m4j9-86g3-8f49) (CVSS score 5.9, Medium): Segfault in `GrpcHealthCheckerImpl`
An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
- [CVE-2022-29226](https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh) (CVSS score 10.0, Critical): OAuth filter allows trivial bypass
The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
- [CVE-2022-29228](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rww6-8h7g-8jf6) (CVSS score 7.5, High): OAuth filter calls `continueDecoding()` from within `decodeHeaders()`
The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
- [CVE-2022-29227](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rm2p-qvf6-pvr6) (CVSS score 7.5, High): Internal redirect crash for requests with body/trailers
Envoy internal redirects for requests with bodies or trailers are not safe if the redirect prompts an Envoy-generated local reply.
## Am I Impacted?
You are at most risk if you you have an Istio ingress Gateway exposed to external traffic.
## Credit
We would like to thank Otto van der Schaaf of Red Hat for the report.

2
data/args.yml
View File

@ -2,7 +2,7 @@
version: "1.14"
# The full Istio version identifier the docs describe
full_version: "1.14.0"
full_version: "1.14.1"
# The previous Istio version identifier the docs describe, used for upgrade documentation
previous_version: "1.13"