Envoy proxy & GetEnvoy, Istio, Open Source, Security

Upgrade: Istio and Envoy CVE security fixes

Users of Istio and Envoy are strongly encouraged to upgrade to Istio 1.4.6 and Envoy 1.13.1 or 1.12.3 to address four newly discovered security vulnerabilities. The Envoy update is also available via GetEnvoy.io.

CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1 Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (e.g., 1 byte) chunks.

Read More
Istio, Open Source, Security

Podcast: How did Autotrader UK got mTLS and more from Istio

TC Currie sat down with Autotrader UK’s Karl Stoney– a DevOps thought leader– to discuss what led them to Istio.

Karl explains that the main reason for the move had been their wish for transparent, mutual TLS, which they wanted to implement without modification to existing apps. He explains that they understood the best way to do this was using a sidecar model, and began their transformation with the use of Google’s managed Kubernetes offering ‘GKE’ when the conversations then pointed to Istio.

Read More
Security

Announcement of NIST & Tetrate co-hosted conference: “Identity Management and Access Control in Multi-Cloud”

Registration is open!

Join NIST and Tetrate.io this January 2020 for an interactive conference, “Identity Management and Access Control in Multi-Cloud,” to be held at NIST headquarters in Gaithersburg, MD. We’ll be navigating the future of Zero Trust in multi-cloud environments through the strategic integration of identity management, access control, and service mesh architecture.

Read More
Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou
Envoy proxy & GetEnvoy, Events, Security

The basics of Envoy and Envoy extensibility

In his 2019 talks at KubeCon Barcelona, Tetrate Engineer and Envoy Senior Maintainer Lizan Zhou presented an overview of Envoy and a deep dive into its extensibility. The service proxy solves a host of operational problems related to observability and networking in large distributed systems, and its extensibility allows it to be adapted to a large variety of end use cases. Tetrate’s GetEnvoy, which provides enterprise with certified and tested Envoy proxy builds, launches next week.

Read More
Envoy proxy & GetEnvoy, Security

Envoy CVE security fixes for GetEnvoy

The Envoy security team today [announced] the availability of Envoy 1.9.1 to address two high-risk vulnerabilities related to header values and HTTP URL paths.

We also released the GetEnvoy build of Envoy 1.9.1 and the latest master build that fixes the vulnerability. Users are encouraged to upgrade to 1.9.1 or latest master build to address the following CVEs:

  • CVE-2019-9900: When parsing HTTP/1.x header values, Envoy 1.9 and before does not reject embedded zero characters (NUL, ASCII 0x0). This allows remote attackers crafting header values containing embedded NUL characters to potentially bypass header matching rules, gaining access to unauthorized resources.
  • CVE-2019-9901: Envoy does not normalize HTTP URL paths in Envoy 1.9 and before. A remote attacker may craft a path with a relative path, e.g. something/../admin, to bypass access control, e.g. a block on /admin. A backend server could then interpret the unnormalized path and provide an attacker access beyond the scope provided for by the access control policy.
Read More
Security, Tetrate

Introducing Tetrate Q

By SHRIRAM RAJAGOPALAN, IGNASI BARERRA, and DAVID FERRAIOLO

Editors note: Tetrate Q has been folded into Tetrate Service Bridge, making Next Generation Access Control (NIST) a built-in feature for Tetrate’s service bridge platform.

The modern enterprise infrastructure is a mishmash of legacy infrastructure, SaaS services, a smattering of cloud-native platforms like Kubernetes, along with an aging access control system that struggles to keep up with all the changes in the enterprise as it marches toward modernization. We no longer live in a world where the infrastructure is full of pets and the users come from set geographies with fixed access patterns. Technology has enabled users to access applications from the convenience of their mobile phones, anytime, anywhere on the planet. The security perimeter that was once synonymous with the network perimeter has now disappeared.

Read More