Cherry pick of Istio Sec 2024-006 related PRs [1.23.2, 1.22.5, 1.21.6] (#15721)

* [release-1.23] security adv 2024-006 (#15710) * [release 2024-09-19] docs updates Updates for security release changes Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Updates from PR feedback and updated examples that need verification Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix minor nits Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Added additional change logs for 1.22.5. Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add links to CVEs Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add CVEs to spelling Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Add 1.21 back into supported releases Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Update version to v1.23.2 Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix lint except spelling Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix spelling Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix more spelling Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix spelling again Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * [release-1.23] fixes for sec adv 2024-006 (#15712) Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix publish date for 1.22.5 (#15713) * [release-1.23] announce 1.21.6 (#15716) * [release-1.23] announce 1.21.6 Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Fix nit Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * fix lint Signed-off-by: Jackie Elliott <jaellio@microsoft.com> * Update release date Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> --------- Signed-off-by: Jackie Elliott <jaellio@microsoft.com> Co-authored-by: Jackie Maertens (Elliott) <64559656+jaellio@users.noreply.github.com>
2024-09-23 13:41:23 -06:00 · 2024-09-23 13:41:23 -06:00 · 68e0060ea3
parent 15d332fd93
commit 68e0060ea3
6 changed files with 131 additions and 3 deletions
--- a/.spelling
+++ b/.spelling
@ -147,6 +147,7 @@ Arielli
 arm64
 ArtifactHub
 AssemblyScript
+async
 Atlassian
 attestor
 attestors
@ -384,6 +385,11 @@ CVE-2024-32976
 CVE-2024-34362
 CVE-2024-34363
 CVE-2024-34364
+CVE-2024-45806
+CVE-2024-45807
+CVE-2024-45808
+CVE-2024-45809
+CVE-2024-45810
 CVEs
 cves
 cvss
@ -643,6 +649,7 @@ ISTIO-SECURITY-2023-001
 ISTIO-SECURITY-2023-002
 ISTIO-SECURITY-2023-003
 ISTIO-SECURITY-2023-004
+ISTIO-SECURITY-2024-006
 istio-system
 istio.io
 istio.io.
@ -674,6 +681,7 @@ json
 JSON-formatted
 json-transcoder
 jwcrypto
+JWKs
 JWKS-URI
 JWT
 jwt.io
@ -865,6 +873,7 @@ OAuth
 OAuth2
 oc
 OCI-compliant
+oghttp2
 ok
 Okta
 Onboard
@ -957,6 +966,7 @@ protos
 proxied
 proxy-config
 Proxy-wasm
+ProxyConfig
 proxying
 Proxyless
 proxyless
@ -997,6 +1007,7 @@ reimplement
 reimplemented
 reinject
 relabeling
+reloadable
 remediate
 remoteIpBlocks
 repo
@ -1031,6 +1042,7 @@ Salesforce
 Salmond
 sandboxed
 sandboxing
+sanitization
 Sathish
 Savcı   
 sayin
@ -1180,6 +1192,7 @@ UIDs
 uint32
 ulimit
 un-injecting
+un-trust
 uncaptured
 uncomment
 uncommented
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@ -70,9 +70,9 @@ Please keep up-to-date and use a supported version.

 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
-| 1.23.x         | 1.23.0+                             |
-| 1.22.x         | 1.22.2+                             |
-| 1.21.x         | 1.21.4+                             |
+| 1.23.x         | 1.23.2+                             |
+| 1.22.x         | 1.22.5+                             |
+| 1.21.x         | 1.21.6+                             |

 ## Supported Envoy Versions

--- a/content/en/news/releases/1.21.x/announcing-1.21.6/index.md
+++ b/content/en/news/releases/1.21.x/announcing-1.21.6/index.md
@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.21.6
+linktitle: 1.21.6
+subtitle: Patch Release
+description: Istio 1.21.6 patch release.
+publishdate: 2024-09-23
+release: 1.21.6
+---
+
+This release fixes the security vulnerabilities described in our September 19th post, [ISTIO-SECURITY-2024-006](/news/security/istio-security-2024-006).
+This release note describes what’s different between Istio 1.21.5 and 1.21.6.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** `PILOT_SIDECAR_USE_REMOTE_ADDRESS` functionality on sidecars to support setting internal addresses to mesh network rather than localhost to prevent header sanitization if `envoy.reloadable_features.explicit_internal_address_config` is enabled.
+
+- **Fixed** `VirtualMachine` `WorkloadEntry` locality label missing during auto registration.
+  ([Issue #51800](https://github.com/istio/istio/issues/51800))
--- a/content/en/news/releases/1.22.x/announcing-1.22.5/index.md
+++ b/content/en/news/releases/1.22.x/announcing-1.22.5/index.md
@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.22.5
+linktitle: 1.22.5
+subtitle: Patch Release
+description: Istio 1.22.5 patch release.
+publishdate: 2024-09-19
+release: 1.22.5
+---
+
+This release fixes the security vulnerabilities described in our September 19th post, [ISTIO-SECURITY-2024-006](/news/security/istio-security-2024-006).
+This release note describes what’s different between Istio 1.22.4 and 1.22.5.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** `PILOT_SIDECAR_USE_REMOTE_ADDRESS` functionality on sidecars to support setting internal addresses to mesh network rather than localhost to prevent header sanitization if `envoy.reloadable_features.explicit_internal_address_config` is enabled.
+
+- **Removed** a change in 1.22.4 to the handling of multiple service VIPs in ServiceEntry.
+  ([Issue #52944](https://github.com/istio/istio/issues/52944)),([Issue #52847](https://github.com/istio/istio/issues/52847))
--- a/content/en/news/releases/1.23.x/announcing-1.23.2/index.md
+++ b/content/en/news/releases/1.23.x/announcing-1.23.2/index.md
@ -0,0 +1,17 @@
+---
+title: Announcing Istio 1.23.2
+linktitle: 1.23.2
+subtitle: Patch Release
+description: Istio 1.23.2 patch release.
+publishdate: 2023-09-19
+release: 1.23.2
+---
+
+This release fixes the security vulnerabilities described in our September 19th post, [ISTIO-SECURITY-2024-006](/news/security/istio-security-2024-006).
+This release note describes what’s different between Istio 1.23.1 and 1.23.2.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** `PILOT_SIDECAR_USE_REMOTE_ADDRESS` functionality on sidecars to support setting internal addresses to mesh network rather than localhost to prevent header sanitization if `envoy.reloadable_features.explicit_internal_address_config` is enabled.
--- a/content/en/news/security/istio-security-2024-006/index.md
+++ b/content/en/news/security/istio-security-2024-006/index.md
@ -0,0 +1,58 @@
+---
+title: ISTIO-SECURITY-2024-006
+subtitle: Security Bulletin
+description: CVEs reported by Envoy.
+cves: [CVE-2024-45807, CVE-2024-45808, CVE-2024-45806, CVE-2024-45809, CVE-2024-45810]
+cvss: "7.5"
+vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["1.22.0 to 1.22.4", "1.23.0 to 1.23.1"]
+publishdate: 2024-09-19
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs
+
+- __[CVE-2024-45807](https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37)__: (CVSS Score 7.5, High): oghttp2 may crash on `OnBeginHeadersForStream`.
+
+- __[CVE-2024-45808](https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc)__: (CVSS Score 6.5, Moderate): Lack of validation for `REQUESTED_SERVER_NAME` field for access loggers enables injection of unexpected content into access logs.
+
+- __[CVE-2024-45806](https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf)__: (CVSS Score 6.5, Moderate): Potential for `x-envoy` headers to be manipulated by external sources.
+
+- __[CVE-2024-45809](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3)__: (CVSS Score 5.3, Moderate): JWT filter crash in the clear route cache with remote JWKs.
+
+- __[CVE-2024-45810](https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q)__: (CVSS Score 6.5, Moderate): Envoy crashes for `LocalReply` in HTTP async client.
+
+## Am I Impacted?
+
+You are impacted if you are using Istio 1.22.0 to 1.22.4 or 1.23.0 to 1.23.1.
+
+If you deploy an Istio Ingress Gateway, you are potentially vulnerable to `x-envoy` header manipulation by external sources. Envoy previously considered all private IP to be internal
+by default and as a result, did not sanitize headers from external sources with private IPs. Envoy added support for the flag `envoy.reloadable_features.explicit_internal_address_config`
+to explicitly un-trust all IPs. Envoy and Istio currently disable the flag by default for backwards compatibility. In future Envoy and Istio release the flag
+`envoy.reloadable_features.explicit_internal_address_config` will be enabled by default. The Envoy flag can be set mesh-wide or per-proxy via the [ProxyConfig](/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig)
+in `runtimeValues`.
+
+Mesh-wide example configuration:
+
+{{< text yaml >}}
+meshConfig:
+  defaultConfig:
+    runtimeValues:
+      "envoy.reloadable_features.explicit_internal_address_config": "true"
+{{< /text >}}
+
+Per-proxy example configuration:
+
+{{< text yaml >}}
+annotations:
+  proxy.istio.io/config: |
+    runtimeValues:
+      "envoy.reloadable_features.explicit_internal_address_config": "true"
+{{< /text >}}
+
+Note fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.