Security bulletins
Use this XML feed to subscribe to Cloud Service Mesh security bulletins.
This page lists the security bulletins for Cloud Service Mesh.
GCP-2024-065
Description | Severity | Notes |
---|---|---|
Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting. What should I do?Check if your clusters are impactedYour cluster is impacted if patch versions earlier than:
For in-cluster Cloud Service Mesh, Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.20 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to version 1.21 or later. For managed Cloud Service Mesh, no action is required. All versions remain supported and your system will be automatically updated over the coming weeks. |
Medium |
Description | Severity | Notes |
---|---|---|
HTTP/1: Sending overload crashes when the request is reset beforehand. What should I do?Check if your clusters are impactedYour cluster is impacted if patch versions earlier than:
For in-cluster Cloud Service Mesh, Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.20 or earlier, your release has reached end of life and is no longer supported. If you're using Cloud Service Mesh v1.20 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to version 1.21 or later. For managed Cloud Service Mesh, no action is required. All versions remain supported and your system will be automatically updated over the coming weeks. |
High |
Description | Severity | Notes |
---|---|---|
HTTP/1.1 Multiple issues with envoy.reloadable_features.http1_balsa_delay_reset. What should I do?Check if your clusters are impactedYour cluster is impacted if patch versions earlier than:
For in-cluster Cloud Service Mesh, Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.20 or earlier, your release has reached end of life and is no longer supported. If you're using Cloud Service Mesh v1.20 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to version 1.21 or later. For managed Cloud Service Mesh, no action is required. All versions remain supported and your system will be automatically updated over the coming weeks. |
High |
GCP-2024-052
Published: 2024-09-19
Description | Severity | Notes |
---|---|---|
oghttp2 crash on OnBeginHeadersForStream What should I do?Check if your clusters are impactedOnly clusters running Cloud Service Mesh v1.23 are affected MitigationCloud Service Mesh 1.23.2-asm.2 contains the fix for this issue. No action is required. |
High |
Description | Severity | Notes |
---|---|---|
Malicious log injection via access logs What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationUpgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Potential to manipulate `x-envoy` headers from external sources What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationUpgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
JWT filter crash in the clear route cache with remote JWKs What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationUpgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Envoy crashes for LocalReply in http async client What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationUpgrade your cluster to one of the following patched versions:
|
Medium |
GCP-2024-032
Published: 2024-06-24
Description | Severity | Notes |
---|---|---|
Envoy incorrectly accepts HTTP 200 response for entering upgrade mode. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Crash in EnvoyQuicServerStream::OnInitialHeadersComplete(). What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Crash in QuicheDataReader::PeekVarInt62Length(). What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Endless loop while decompressing Brotli data with extra input. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
High |
Description | Severity | Notes |
---|---|---|
Crash (use-after-free) in EnvoyQuicServerStream. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
Medium |
Description | Severity | Notes |
---|---|---|
Crash due to uncaught nlohmann JSON exception. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
High |
Description | Severity | Notes |
---|---|---|
Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, your system will be automatically updated over the coming days. Otherwise, upgrade your cluster to one of the following patched versions:
|
Medium |
GCP-2024-023
Published: 2024-04-24
Description | Severity | Notes |
---|---|---|
HTTP/2: memory exhaustion due to CONTINUATION frame flood. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.17 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh v1.18 or later. |
High |
Description | Severity | Notes |
---|---|---|
HTTP/2: CPU exhaustion due to CONTINUATION frame flood What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.17 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.18 or later. |
Medium |
Description | Severity | Notes |
---|---|---|
Abnormal termination when using What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.17 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.18 or above. |
High |
Description | Severity | Notes |
---|---|---|
HTTP/2 CONTINUATION frames can be utilized for DoS attacks. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. MitigationIf you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.17 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to version v1.18 or later. |
Not Provided |
GCP-2024-007
Published: 2024-02-08
Description | Severity | Notes |
---|---|---|
Envoy crashes when idle and requests per try timeout occur within the backoff interval. What should I do?If you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Anthos Service Mesh v1.17 or earlier, your release has reached end of life and is no longer supported. While these CVE fixes have been backported to 1.17, you should upgrade to 1.18 or later. |
High |
Description | Severity | Notes |
---|---|---|
Excessive CPU usage when URI template matcher is configured using regex. What should I do?If you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Anthos Service Mesh v1.17 or earlier, your release has reached end of life and is no longer supported. While these CVE fixes have been backported to 1.17, you should upgrade to 1.18 or later. |
Medium |
Description | Severity | Notes |
---|---|---|
External authorization can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata. What should I do?If you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Anthos Service Mesh v1.17 or earlier, your release has reached end of life and is no longer supported. While these CVE fixes have been backported to 1.17, you should upgrade to 1.18 or later. |
High |
Description | Severity | Notes |
---|---|---|
Envoy crashes when using an address type that isn't supported by the OS. What should I do?If you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Anthos Service Mesh v1.17 or earlier, your release has reached end of life and is no longer supported. While these CVE fixes have been backported to 1.17, you should upgrade to 1.18 or later. |
High |
Description | Severity | Notes |
---|---|---|
Crash in proxy protocol when command type is What should I do?If you are running managed Cloud Service Mesh, no action is required. Your system will be automatically updated over the coming days. If you are running in-cluster Cloud Service Mesh, you must upgrade your cluster to one of the following patched versions:
If you're using Anthos Service Mesh v1.17 or earlier, your release has reached end of life and is no longer supported. While these CVE fixes have been backported to 1.17, you should upgrade to 1.18 or later. |
High |
GCP-2023-031
Published: 2023-10-10
Description | Severity | Notes |
---|---|---|
A denial of service attack can affect the data plane when using the HTTP/2 protocol. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.18.4, 1.17.7, or 1.16.7. MitigationUpgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Cloud Service Mesh v1.15 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to v1.16 or above. |
High |
GCP-2023-021
Updated:2023-07-26
Published: 2022-07-25Description | Severity | Notes |
---|---|---|
A malicious client is able to construct credentials with permanent validity in some specific scenarios. For example, the combination of host and expiration time in the HMAC payload can be always valid in OAuth2 filter's HMAC check. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than
Upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above. |
High |
Description | Severity | Notes |
---|---|---|
gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained. This can be triggered by an LDS update with the same gRPC access log configuration. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than
Upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
If What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than
Upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Attackers can send mixed scheme requests to bypass some scheme checks in Envoy. For example, if a request with mixed scheme htTp is sent to the OAuth2 filter, it will fail the exact-match checks for http, and inform the remote endpoint the scheme is https, thus potentially bypassing OAuth2 checks specific to HTTP requests. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than
Upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above. |
High |
GCP-2023-019
Description | Severity | Notes |
---|---|---|
A specifically crafted response from an untrusted upstream service can cause a denial of service through memory exhaustion. This is caused by Envoy's HTTP/2 codec which may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than
Upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above. |
High |
GCP-2023-002
Description | Severity | Notes |
---|---|---|
If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.14 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
The attacker can use this vulnerability to bypass auth checks when ext_authz is used. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh} 1.14 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Envoy configuration must also include an option to add request headers that were generated using inputs from the request, i.e. the peer certificate SAN. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.14 or above. |
High |
Description | Severity | Notes |
---|---|---|
Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.14 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.14 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client. What should I do?Check if your clusters are impactedYour clusters are impacted if they use Cloud Service Mesh patch versions earlier than:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.14 or above. |
High |
GCP-2022-020
Published: 2022-10-05Updated: 2022-10-12
2022-10-12 Update: Updated link to CVE description and added information about automatic updates for managed Cloud Service Mesh.
Description | Severity | Notes |
---|---|---|
The Istio control plane What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.14.4, 1.13.8, or 1.12.9. MitigationIf you are running standalone Cloud Service Mesh, upgrade your cluster to one of the following patched versions:
If you are running managed Cloud Service Mesh, your system will be automatically updated within the next few days. If you're using Cloud Service Mesh v1.11 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.12 or later. |
High |
GCP-2022-015
Published: 2022-06-09Updated: 2022-06-10
2022-06-10 Update: Updated patch versions for Cloud Service Mesh.
Description | Severity | Notes |
---|---|---|
Istio data plane can potentially access memory unsafely when the Metadata Exchange and Stats extensions are enabled. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises). |
High |
Description | Severity | Notes |
---|---|---|
Data can exceed intermediate buffer limits if a malicious attacker passes a small highly compressed payload (also known as a zip bomb attack). What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Although Cloud Service Mesh does not support Envoy filters, you could be impacted if you use a decompress filter. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises). Envoy MitigationEnvoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them. There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1. |
High |
Description | Severity | Notes |
---|---|---|
Potential null pointer dereference in What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises). Envoy MitigationEnvoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them. There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1. |
Medium |
Description | Severity | Notes |
---|---|---|
OAuth filter allows trivial bypass. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Although Cloud Service Mesh does not support Envoy filters, you could be impacted if you use an OAuth filter. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises). Envoy MitigationEnvoy users managing their own Envoys also use the OAuth filter should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them. There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1. |
Critical |
Description | Severity | Notes |
---|---|---|
OAuth filter can corrupt memory (earlier versions) or trigger an ASSERT() (later versions). What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Although Cloud Service Mesh does not support Envoy filters, you could be impacted if you use an OAuth filter. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. Envoy MitigationEnvoy users managing their own Envoys also use the OAuth filter should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them. There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1. |
High |
Description | Severity | Notes |
---|---|---|
Internal redirects crash for requests with body or trailers. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4. Cloud Service Mesh MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises). Envoy MitigationEnvoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them. There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1. |
High |
GCP-2022-010
Published: 2022-03-10Updated: 2022-03-16
Description | Severity | Notes |
---|---|---|
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017 but does not require any authentication from the attacker. What should I do?Check if your clusters are impactedAll Cloud Service Mesh versions are impacted by this CVE. Note: If you are using Managed Control Plane, this vulnerability has already been fixed and you are not impacted. MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
High |
GCP-2022-007
Published: 2022-02-22Description | Severity | Notes |
---|---|---|
Istiod crashes upon receiving requests with a specially crafted What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Note: If you are using Managed Control Plane, this vulnerability has already been fixed and you are not impacted. MitigationUpgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
High |
Description | Severity | Notes |
---|---|---|
Potential null pointer dereference when using JWT filter What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
Medium |
Description | Severity | Notes |
---|---|---|
Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
High |
Description | Severity | Notes |
---|---|---|
Incorrect handling of internal redirects to routes with a direct response entry. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
High |
Description | Severity | Notes |
---|---|---|
Stack exhaustion when a cluster is deleted via Cluster Discovery Service. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
If you're using Cloud Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Cloud Service Mesh 1.10 or above. |
Medium |
GCP-2021-016
Published: 2021-08-24Description | Severity | Notes |
---|---|---|
Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (a section in the end of a URI that begins with a
For example, an Istio authorization policy denies requests sent to the URI path This fix depends on a fix in Envoy, which is associated with CVE-2021-32779. What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
With the new versions, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part. Opt-outIf you opt-out of this new behavior, the fragment section in the URI is kept. To opt-out, you can configure your installation as follows: apiVersion: install.istio.io/v1alpha1 kind: IstioOperator metadata: name: opt-out-fragment-cve-fix namespace: istio-system spec: meshConfig: defaultConfig: proxyMetadata: HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false" Note: Opting out of this behavior makes your cluster vulnerable to this CVE. |
High |
Description | Severity | Notes |
---|---|---|
Istio contains a remotely exploitable vulnerability where an HTTP request could potentially bypass an Istio authorization policy when using rules based on
In the vulnerable versions, the Istio authorization policy compares the HTTP What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
This mitigation makes sure that the HTTP |
High |
Description | Severity | Notes |
---|---|---|
Envoy contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do an incomplete authorization policy check when the What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
|
High |
Description | Severity | Notes |
---|---|---|
Envoy contains a remotely exploitable vulnerability that affects Envoy's What should I do?Check if your clusters are impactedYour cluster is impacted if both of the following are true:
Upgrade your cluster to one of the following patched versions:
|
High |
Description | Severity | Notes |
---|---|---|
Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption. What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6. MitigationUpgrade your cluster to one of the following patched versions:
Note: If you are using Cloud Service Mesh 1.8 or earlier, please upgrade to the latest patch versions of Cloud Service Mesh 1.9 and above to mitigate this vulnerability. |
High |
Description | Severity | Notes |
---|---|---|
Envoy contains a remotely exploitable vulnerability where an untrusted upstream service could cause Envoy to terminate abnormally by sending the What should I do?Check if your clusters are impactedYour cluster is impacted if it uses Cloud Service Mesh 1.10 with a patch version earlier than 1.10.4-asm.6. MitigationUpgrade your cluster to the following patch version:
|
High |
GCP-2021-012
Published: 2021-06-24Description | Severity | Notes |
---|---|---|
The Istio secure
Normally, a gateway or workload deployment is only able to access TLS certificates and private
keys stored in the secret within its namespace. However, a bug in What should I do?Check if your clusters are impactedYour cluster is impacted if ALL of the following conditions are true:
Upgrade your cluster to one of the following patched versions:
If an upgrade isn't feasible, you can mitigate this vulnerability by disabling istiod caching.
You can disable caching by setting the istiod environment variable to
PILOT_ENABLE_XDS_CACHE=false . System and istiod performance could be
impacted because this disables XDS caching.
|
High |
GCP-2021-008
Published: 2021-05-17Description | Severity | Notes |
---|---|---|
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration. What should I do?Check if your clusters are impactedThis vulnerability impacts only usage of the AUTO_PASSTHROUGH Gateway type, which is typically only used in multi-network, multi-cluster deployments. Detect the TLS mode of all Gateways in the cluster with the following command: kubectl get gateways.networking.istio.io -A -o \ "custom-columns=NAMESPACE:.metadata.namespace, \ NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode" If the output shows any AUTO_PASSTHROUGH Gateways, you could be impacted. MitigationUpdate your clusters to the latest Cloud Service Mesh versions:
* Note: The rollout of the Cloud Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days. |
High |
GCP-2021-007
Published: 2021-05-17Description | Severity | Notes |
---|---|---|
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.
In a scenario where an Istio cluster administrator defines an authorization DENY policy to
reject the request at path
According to the
RFC 3986,
the path What should I do?Check if your clusters are impactedYour cluster is impacted by this vulnerability if you have authorization policies using "ALLOW action + notPaths field" or "DENY action + paths field" patterns. These patterns are vulnerable to unexpected policy bypasses and you should upgrade to fix the security issue ASAP. The following is an example of vulnerable policy that uses "DENY action + paths field" pattern: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-path-admin spec: action: DENY rules: - to: - operation: paths: ["/admin"] The following is another example of vulnerable policy that uses "ALLOW action + notPaths field" pattern: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-path-not-admin spec: action: ALLOW rules: - to: - operation: notPaths: ["/admin"] Your cluster is not impacted by this vulnerability if:
Upgrading is optional for these cases. Update your clusters to the latest supported Cloud Service Mesh versions*. These versions support configuring the Envoy proxies in the system with more normalization options:
* Note: The rollout of the Cloud Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days. Follow the Istio security best practices guide to configure your authorization policies. |
High |
GCP-2021-004
Published: 2021-05-06Description | Severity | Notes |
---|---|---|
The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28682, CVE-2021-28683, and CVE-2021-29258), that could allow an attacker to crash Envoy and potentially render parts of the cluster offline and unreachable. This impacts delivered services such as Cloud Service Mesh. What should I do?To fix these vulnerabilities, upgrade your Cloud Service Mesh bundle to one of the following patched versions:
For more information, see the Cloud Service Mesh release notes. |
High |