Service Mesh Istio
Envoy proxy & GetEnvoy, Istio, Open Source, Security

Istio and Envoy Security Advisories

September 29, 2020 — The Envoy Product Security Team (PST) announced  the availability of a security fix and a series of patches for Envoy versions 1.12,1.13, 1.14 and 1.15 to address two high-risk vulnerabilities related to header values and HTTP URL paths. In response to CVE-2020-25017. Additionally the Istio community recommends users to upgrade to 1.6.11+ for 1.6.x deployments or 1.7.3 or later for 1.7.x deployments.

Read More
Envoy proxy & GetEnvoy, Istio, Open Source, Security

Upgrade: Istio and Envoy CVE security fixes

Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.

CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.

Read More
Istio, Open Source, Security

Podcast: How did Autotrader UK got mTLS and more from Istio

TC Currie sat down with Autotrader UK’s Karl Stoney– a DevOps thought leader– to discuss what led them to Istio.

Karl explains that the main reason for the move had been their wish for transparent, mutual TLS, which they wanted to implement without modification to existing apps. He explains that they understood the best way to do this was using a sidecar model, and began their transformation with the use of Google’s managed Kubernetes offering ‘GKE’ when the conversations then pointed to Istio.

Read More
Security

Announcement of NIST & Tetrate co-hosted conference: “Identity Management and Access Control in Multi-Cloud”

Registration is open!

Join NIST and Tetrate.io this January 2020 for an interactive conference, “Identity Management and Access Control in Multi-Cloud,” to be held at NIST headquarters in Gaithersburg, MD. We’ll be navigating the future of Zero Trust in multi-cloud environments through the strategic integration of identity management, access control, and service mesh architecture.

Read More
Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou
Envoy proxy & GetEnvoy, Events, Security

The basics of Envoy and Envoy extensibility

In his 2019 talks at KubeCon Barcelona, Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou presented an overview of Envoy and a deep dive into its extensibility. The service proxy solves a host of operational problems related to observability and networking in large distributed systems, and its extensibility allows it to be adapted to a large variety of end use cases. Tetrate’s GetEnvoy, which provides enterprise with certified and tested Envoy proxy builds, launches next week.

Read More
Envoy proxy & GetEnvoy, Security

Envoy CVE security fixes for GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

  • CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
  • CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.
Read More