ISTIO-SECURITY-2020-007

Security Bulletin

Disclosure Details
CVE(s)CVE-2020-12603
CVE-2020-12605
CVE-2020-8663
CVE-2020-12604
CVSS Impact Score7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases1.5 to 1.5.6
1.6 to 1.6.3

Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:

Mitigation

  • For Istio 1.5.x deployments: update to Istio 1.5.7 or later.
  • For Istio 1.6.x deployments: update to Istio 1.6.4 or later.

CVE-2020-8663 is addressed in Envoy by adding a configurable limit on downstream connections. The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.

  1. Create a config map by downloading custom-bootstrap-runtime.yaml. Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.

    $ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
    
  2. Patch the ingress gateway deployment to use the above configuration. Download gateway-patch.yaml and apply it using the following command.

    $ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
    
  3. Confirm that the new limits are in place.

    $ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
    $ kubectl --namespace istio-system exec -i -t  ${ISTIO_INGRESS_PODNAME} -c istio-proxy -- curl http://localhost:15000/runtime
    
    {
    "entries": {
     "overload.global_downstream_max_connections": {
      "layer_values": [
       "",
       "250000",
       ""
      ],
      "final_value": "250000"
     }
    },
    "layers": [
     "static_layer_0",
     "admin"
    ]
    }
    

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!