ISTIO-SECURITY-2020-007

Multiple denial of service vulnerabilities in Envoy.

Jun 30, 2020

CVE-2020-8663 is addressed in Envoy by adding a configurable limit on downstream connections. The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.

Disclosure Details
CVE(s)	CVE-2020-12603 CVE-2020-12605 CVE-2020-8663 CVE-2020-12604
CVSS Impact Score	7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases	1.5 to 1.5.6 1.6 to 1.6.3

Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:

CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.
- CVSS Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Mitigation

For Istio 1.5.x deployments: update to Istio 1.5.7 or later.
For Istio 1.6.x deployments: update to Istio 1.6.4 or later.

Create a config map by downloading custom-bootstrap-runtime.yaml. Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
```
$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
```
Patch the ingress gateway deployment to use the above configuration. Download gateway-patch.yaml and apply it using the following command.
```
$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
```

Confirm that the new limits are in place.

$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
$ kubectl --namespace istio-system exec -i -t  "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
{
"entries": {
"overload.global_downstream_max_connections": {
"layer_values": [
"",
"250000",
""
],
"final_value": "250000"
}
},
"layers": [
"static_layer_0",
"admin"
]
}

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.