istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cherry-pick of #14598 (#14602)

This commit is contained in:
Daniel Hawton 2024-02-09 11:38:42 -07:00 committed by GitHub
parent 5a2654decd
commit 22964a74a0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 105 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.spelling
View File

@ -184,6 +184,7 @@ Bookinfo
bookinfo
boolean
BoringSSL
Bottlerocket
bring-your-own-CA
bring-your-own-identity
Brooks
@ -351,6 +352,11 @@ CVE-2023-35942
CVE-2023-35943
CVE-2023-35944
CVE-2023-35945
CVE-2024-23322
CVE-2024-23323
CVE-2024-23324
CVE-2024-23325
CVE-2024-23327
CVEs
cves
cvss

5
content/en/docs/releases/supported-releases/index.md
View File

@ -70,9 +70,8 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
| ---------------- | ---------------------------------------------------- |
| 1.20.x | 1.20.0+ |
| 1.19.x | 1.19.3+ |
| 1.18.x | 1.18.5+ |
| 1.20.x | 1.20.3+ |
| 1.19.x | 1.19.7+ |
## Supported Envoy Versions

30
content/en/news/releases/1.19.x/announcing-1.19.7/index.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Announcing Istio 1.19.7
linktitle: 1.19.7
subtitle: Patch Release
description: Istio 1.19.7 patch release.
publishdate: 2024-02-09
release: 1.19.7
---
This release implements the security updates described in our February 8th post, [`ISTIO-SECURITY-2024-001`](/news/security/istio-security-2024-001) along with bug fixes to improve robustness.
This release note describes whats different between Istio 1.19.6 and 1.19.7.
{{< relnote >}}
## Changes
- **Fixed** an issue where updating a service's `TargetPort` does not trigger an xDS push. ([Issue #48580](https://github.com/istio/istio/issues/48580))
- **Fixed** an issue where the webhook generated with `istioctl tag set` is unexpectedly removed by the installer.
([Issue #47423](https://github.com/istio/istio/issues/47423))
- **Fixed** a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error.
- **Fixed** a bug that made `PeerAuthentication` too restrictive in ambient mode.
- **Fixed** an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no `sh` binary).
The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules).
In particular, this fixes running Istio on Bottlerocket nodes.
([Issue #48746](https://github.com/istio/istio/issues/48746))

35
content/en/news/releases/1.20.x/announcing-1.20.3/index.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Announcing Istio 1.20.3
linktitle: 1.20.3
subtitle: Patch Release
description: Istio 1.20.3 patch release.
publishdate: 2024-02-09
release: 1.20.3
---
This release implements the security updates described in our February 8th post, [`ISTIO-SECURITY-2024-001`](/news/security/istio-security-2024-001) along with bug fixes to improve robustness.
This release note describes whats different between Istio 1.20.2 and 1.20.3.
{{< relnote >}}
## Changes
- **Improved** graceful termination abort logic when the Envoy process terminates early. ([Issue #36686](https://github.com/istio/istio/issues/36686))
- **Fixed** an issue where updating a service's `TargetPort` does not trigger an xDS push. ([Issue #48580](https://github.com/istio/istio/issues/48580))
- **Fixed** an issue where in-cluster analysis was unnecessarily performed when there's no configuration change.
([Issue #48665](https://github.com/istio/istio/issues/48665))
- **Fixed** an issue where the webhook generated with `istioctl tag set` is unexpectedly removed by the installer.
([Issue #47423](https://github.com/istio/istio/issues/47423))
- **Fixed** a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error.
- **Fixed** a bug that made `PeerAuthentication` too restrictive in ambient mode.
- **Fixed** an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no `sh` binary).
The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules).
In particular, this fixes running Istio on Bottlerocket nodes.
([Issue #48746](https://github.com/istio/istio/issues/48746))

32
content/en/news/security/istio-security-2024-001/index.md Normal file
View File

@ -0,0 +1,32 @@
---
title: ISTIO-SECURITY-2024-001
subtitle: Security Bulletin
description: CVEs reported by Envoy.
cves: [CVE-2024-23322, CVE-2024-23323, CVE-2024-23324, CVE-2024-23325, CVE-2024-23327]
cvss: "8.6"
vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
releases: ["All releases prior to 1.19.0", "1.19.0 to 1.19.6", "1.20.0 to 1.20.2"]
publishdate: 2024-02-09
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
## CVE
### Envoy CVEs
**Note**: At the time of publishing, the below security advisories have not yet been published, but should be published shortly.
- __[CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38)__: (CVSS Score 7.5, High): Envoy crashes when idle and request per try timeout occur within the backoff interval.
- __[CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch)__: (CVSS Score 4.3, Moderate): Excessive CPU usage when URI template matcher is configured using regex.
- __[CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6)__: (CVSS Score 8.6, High): Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata.
- __[CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26)__: (CVSS Score 7.5, High): Envoy crashes when using an address type that isn't supported by the OS.
- __[CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j)__: (CVSS Score 7.5, High): Crash in proxy protocol when command type of LOCAL.
## Am I Impacted?
The majority of exploitable behavior is related to the use of PROXY Protocol, primarily used in gateway scenarios. If you or your users have PROXY Protocol enabled, either via `EnvoyFilter` or [proxy config](/docs/ops/configuration/traffic-management/network-topologies/#proxy-protocol) annotations, there is potential exposure.
Aside from the use of PROXY protocol, the usage of the `%DOWNSTREAM_PEER_IP_SAN%` [command operator](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage.html#command-operators) for access logs has potential exposure.