From 22964a74a01d937fb2821ac749535b635a7490c0 Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Fri, 9 Feb 2024 11:38:42 -0700 Subject: [PATCH] cherry-pick of #14598 (#14602) --- .spelling | 6 ++++ .../docs/releases/supported-releases/index.md | 5 ++- .../1.19.x/announcing-1.19.7/index.md | 30 ++++++++++++++++ .../1.20.x/announcing-1.20.3/index.md | 35 +++++++++++++++++++ .../security/istio-security-2024-001/index.md | 32 +++++++++++++++++ 5 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 content/en/news/releases/1.19.x/announcing-1.19.7/index.md create mode 100644 content/en/news/releases/1.20.x/announcing-1.20.3/index.md create mode 100644 content/en/news/security/istio-security-2024-001/index.md diff --git a/.spelling b/.spelling index 165ad60a3c..aa0b22fc5b 100644 --- a/.spelling +++ b/.spelling @@ -184,6 +184,7 @@ Bookinfo bookinfo boolean BoringSSL +Bottlerocket bring-your-own-CA bring-your-own-identity Brooks @@ -351,6 +352,11 @@ CVE-2023-35942 CVE-2023-35943 CVE-2023-35944 CVE-2023-35945 +CVE-2024-23322 +CVE-2024-23323 +CVE-2024-23324 +CVE-2024-23325 +CVE-2024-23327 CVEs cves cvss diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md index 44bf8f18fa..12532a52f6 100644 --- a/content/en/docs/releases/supported-releases/index.md +++ b/content/en/docs/releases/supported-releases/index.md @@ -70,9 +70,8 @@ Please keep up-to-date and use a supported version. | Minor Releases | Patched versions with no known CVEs | | ---------------- | ---------------------------------------------------- | -| 1.20.x | 1.20.0+ | -| 1.19.x | 1.19.3+ | -| 1.18.x | 1.18.5+ | +| 1.20.x | 1.20.3+ | +| 1.19.x | 1.19.7+ | ## Supported Envoy Versions diff --git a/content/en/news/releases/1.19.x/announcing-1.19.7/index.md b/content/en/news/releases/1.19.x/announcing-1.19.7/index.md new file mode 100644 index 0000000000..9bd29bc4c3 --- /dev/null +++ b/content/en/news/releases/1.19.x/announcing-1.19.7/index.md @@ -0,0 +1,30 @@ +--- +title: Announcing Istio 1.19.7 +linktitle: 1.19.7 +subtitle: Patch Release +description: Istio 1.19.7 patch release. +publishdate: 2024-02-09 +release: 1.19.7 +--- + +This release implements the security updates described in our February 8th post, [`ISTIO-SECURITY-2024-001`](/news/security/istio-security-2024-001) along with bug fixes to improve robustness. + +This release note describes what’s different between Istio 1.19.6 and 1.19.7. + +{{< relnote >}} + +## Changes + +- **Fixed** an issue where updating a service's `TargetPort` does not trigger an xDS push. ([Issue #48580](https://github.com/istio/istio/issues/48580)) + +- **Fixed** an issue where the webhook generated with `istioctl tag set` is unexpectedly removed by the installer. + ([Issue #47423](https://github.com/istio/istio/issues/47423)) + +- **Fixed** a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error. + +- **Fixed** a bug that made `PeerAuthentication` too restrictive in ambient mode. + +- **Fixed** an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no `sh` binary). +The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules). +In particular, this fixes running Istio on Bottlerocket nodes. + ([Issue #48746](https://github.com/istio/istio/issues/48746)) diff --git a/content/en/news/releases/1.20.x/announcing-1.20.3/index.md b/content/en/news/releases/1.20.x/announcing-1.20.3/index.md new file mode 100644 index 0000000000..0ef2fcdd75 --- /dev/null +++ b/content/en/news/releases/1.20.x/announcing-1.20.3/index.md @@ -0,0 +1,35 @@ +--- +title: Announcing Istio 1.20.3 +linktitle: 1.20.3 +subtitle: Patch Release +description: Istio 1.20.3 patch release. +publishdate: 2024-02-09 +release: 1.20.3 +--- + +This release implements the security updates described in our February 8th post, [`ISTIO-SECURITY-2024-001`](/news/security/istio-security-2024-001) along with bug fixes to improve robustness. + +This release note describes what’s different between Istio 1.20.2 and 1.20.3. + +{{< relnote >}} + +## Changes + +- **Improved** graceful termination abort logic when the Envoy process terminates early. ([Issue #36686](https://github.com/istio/istio/issues/36686)) + +- **Fixed** an issue where updating a service's `TargetPort` does not trigger an xDS push. ([Issue #48580](https://github.com/istio/istio/issues/48580)) + +- **Fixed** an issue where in-cluster analysis was unnecessarily performed when there's no configuration change. + ([Issue #48665](https://github.com/istio/istio/issues/48665)) + +- **Fixed** an issue where the webhook generated with `istioctl tag set` is unexpectedly removed by the installer. + ([Issue #47423](https://github.com/istio/istio/issues/47423)) + +- **Fixed** a bug that results in the incorrect generation of configurations for pods without associated services, which includes all services within the same namespace. This can occasionally lead to conflicting inbound listeners error. + +- **Fixed** a bug that made `PeerAuthentication` too restrictive in ambient mode. + +- **Fixed** an issue causing Istio CNI to stop functioning on minimal/locked down nodes (such as no `sh` binary). +The new logic runs with no external dependencies, and will attempt to continue if errors are encountered (which could be caused by things like SELinux rules). +In particular, this fixes running Istio on Bottlerocket nodes. + ([Issue #48746](https://github.com/istio/istio/issues/48746)) diff --git a/content/en/news/security/istio-security-2024-001/index.md b/content/en/news/security/istio-security-2024-001/index.md new file mode 100644 index 0000000000..5b8d2e1434 --- /dev/null +++ b/content/en/news/security/istio-security-2024-001/index.md @@ -0,0 +1,32 @@ +--- +title: ISTIO-SECURITY-2024-001 +subtitle: Security Bulletin +description: CVEs reported by Envoy. +cves: [CVE-2024-23322, CVE-2024-23323, CVE-2024-23324, CVE-2024-23325, CVE-2024-23327] +cvss: "8.6" +vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" +releases: ["All releases prior to 1.19.0", "1.19.0 to 1.19.6", "1.20.0 to 1.20.2"] +publishdate: 2024-02-09 +keywords: [CVE] +skip_seealso: true +--- + +{{< security_bulletin >}} + +## CVE + +### Envoy CVEs + +**Note**: At the time of publishing, the below security advisories have not yet been published, but should be published shortly. + +- __[CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38)__: (CVSS Score 7.5, High): Envoy crashes when idle and request per try timeout occur within the backoff interval. +- __[CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch)__: (CVSS Score 4.3, Moderate): Excessive CPU usage when URI template matcher is configured using regex. +- __[CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6)__: (CVSS Score 8.6, High): Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata. +- __[CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26)__: (CVSS Score 7.5, High): Envoy crashes when using an address type that isn't supported by the OS. +- __[CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j)__: (CVSS Score 7.5, High): Crash in proxy protocol when command type of LOCAL. + +## Am I Impacted? + +The majority of exploitable behavior is related to the use of PROXY Protocol, primarily used in gateway scenarios. If you or your users have PROXY Protocol enabled, either via `EnvoyFilter` or [proxy config](/docs/ops/configuration/traffic-management/network-topologies/#proxy-protocol) annotations, there is potential exposure. + +Aside from the use of PROXY protocol, the usage of the `%DOWNSTREAM_PEER_IP_SAN%` [command operator](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage.html#command-operators) for access logs has potential exposure.