Istio and Envoy Common Vulnerabilities and Exposures

[usbulat]

Hi!

Deployed version: 2.0.5
We've received the following email from GCP:

We’re writing to let you know that the Istio and Envoy communities discovered multiple Common Vulnerabilities and Exposures (CVEs) that affect Istio and Envoy, which power Istio on Google Kubernetes Engine (GKE). To ensure your clusters using Istio-on-GKE are not vulnerable to this CVE, please upgrade your affected clusters to the newest Istio-on-GKE patch releases as soon as possible.

What do I need to know?

Envoy recently fixed multiple security vulnerabilities. Istio-on-GKE is impacted because Envoy is used as the gateways and proxies in the clusters. While most of the CVEs do not affect Istio deployments, the following Envoy CVE we are fixing in this release is listed below:

CVE-2022-21654 (CVSS score 7.3, High): Incorrect configuration handling allows mTLS session reuse without re-validation after validation settings have changed.
Note: this CVE impacts all ASM and Istio-on-GKE services using mTLS.
Istio recently fixed one security vulnerability. Istio-on-GKE is impacted because Istio is the basis for Istio-on-GKE’s control plane. The Istio CVE we are fixing in this release is listed below:

CVE-2022-23635 (CVSS score 7.5, High): Istiod crashes upon receiving requests with a specially crafted authorization header.
Note: this CVE impacts all ASM and Istio-on-GKE versions.
For the full descriptions and impacts of the above CVEs, please refer to the security bulletin.

What do I need to do?

Istio-on-GKE is deprecated.

After December 31, 2021, the UI no longer supports this feature during the creation of new clusters. After September 30, 2022, Istio-on-GKE will no longer be supported in existing clusters. You can migrate Istio on GKE to Anthos Service Mesh to continue using your service meshes. For more information, see the migration FAQ.

Please look at the guides in this article: upgrade Istio-on-GKE to determine which Istio-on-GKE version to upgrade to. If you’re using:

Istio-on-GKE 1.6, upgrade to v1.6.14-gke.9.
Istio-on-GKE 1.4.11, upgrade to v1.4.11-gke.4.
Istio-on-GKE 1.4.10, upgrade to v1.4.10-gke.23.
GKE 1.22 or higher, please use Istio GKE 1.4.10.
Otherwise, use Istio-on-GKE 1.4.11.

What ways to solve this issue could you suggest? Are there any plans (IaaC changes) to prevent this issue?

[yugandhar-btc]

@usbulat could you please tell us what is your current gke cluster, istio, istio-operator version ?

[usbulat]

Hi @yugandhar-btc, thanks

We have following versions:
1.20.11-gke.1300
gke.gcr.io/istio/proxyv2:1.4.10-gke.8
gke.gcr.io/istio/citadel:1.4.10-gke.8
gke.gcr.io/istio/galley:1.4.10-gke.8
gke.gcr.io/istio/pilot:1.4.10-gke.8
gke.gcr.io/istio/mixer:1.4.10-gke.8
gke.gcr.io/istio/sidecar_injector:1.4.10-gke.8
gke.gcr.io/istio/operator:1.6.14-gke.1
gcr.io/gke-release/istio/pilot:1.6.14-gke.1

[yugandhar-btc]

@usbulat please follow the guides in this article Upgrading Istio on GKE and upgrade the below namespaces.

• Upgrade istio/operator version from 1.6.14-gke.1 to 1.6.14-gke.9 .
• Upgrade above listed istio-system name space services version from 1.4.10-gke.8 to v1.4.10-gke.23.

[usbulat]

@yugandhar-btc , thanks. Wouldn't this upgrade cause any drift in infrastructure? And wouldn't it cause any troubles during further mystudies upgrade?
Is there any way to do the upgrade using IaaC?

[yugandhar-btc]

@usbulat Since we are using the istio service mesh until we move to a different service mesh provider it will not cause our further my studies to upgrade, so for now please follow the guides as mentioned in the above comment and upgrade.

However, if any changes are related to the upgrade, they will be available in the further releases.