Aspen Mesh Carrier-Grade 1.11.7-am1 release notes#
Introduction#
These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.5-am2 and 1.11.7-am1.
This release includes security updates and important bug fixes.
Supported platforms#
This release is officially supported on these platforms and versions:
Platform |
Version |
Recommended Helm version |
|---|---|---|
OpenShift |
4.7 |
3.8 |
Security updates#
Istio 1.11.7#
CVE-2022-23635 (CVSS score 7.5, High): Unauthenticated control plane denial of service attack.
Istio 1.11.7 proxy (Envoy)#
CVE-2022-21655 (CVSS score 7.5, High): Envoy 1.21 and earlier - Incorrect handling of internal redirects to routes with a direct response entry.
CVE-2022-21654 (CVSS score 7.3, High): Envoy 1.7.0 and later - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
CVE-2021-43824 (CVSS score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer dereference when using JWT filter
safe_regexmatch.CVE-2021-43825 (CVSS score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
CVE-2021-43826 (CVSS score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.
CVE-2022-21657 (CVSS score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass. (This security update is not included in the open source Istio 1.11.7 sidecar proxy.)
Istio 1.11.6#
(No security updates)
Aspen Mesh features#
(No security updates)
Other changes#
Istio 1.11.7#
(No changes)
Istio 1.11.6#
In the istio-cni Helm chart, added the
cni.privilegedfield, which configures whether the istio-cni daemon set runs in privileged mode. (Issue 34211) The default istrue, which is appropriate for OpenShift Container Platform clusters.Added an option to disable a number of nonstandard kubeconfig authentication methods when using multicluster secret by configuring the
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSenvironment variable in Istiod. By default, this option is configured to allow all methods; future versions will restrict this by default.Fixed an issue where enabling tracing with telemetry API would cause a malformed host header being used at the trace report request. (Issue 35750, Issue 36166, Issue 36521)
Fixed error format after json marshal in virtual machine config. (Issue 36358)
Fixed endpoint slice cache memory leak.
Fixed an issue where
EnvoyFilterpatches onvirtualOutbound-blackholecould cause memory leaks.Fixed an issue where using
ISTIO_MUTUAL TLSmode in Gateways while also settingcredentialNamecauses mutual TLS to not be configured. For backwards compatibility, this only introduces a warning. To enable the new behavior, set thePILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME=trueenvironment variable in Istiod. This will cause invalid configurations to be rejected and will be the default behavior in future releases.
Aspen Mesh features#
AM-3879: Updated the following metrics provided by the Packet Inspector 1 daemon-set process:
aspenmesh_packet_inspector_connections_active: The possible values for peer now includeanalysis(in addition tofilter).aspenmesh_packet_inspector_total_duration_ms: The possible values for peer now includecombinedanddropped(in addition tofilterandanalysis).
The Packet Inspector 1 daemon-set process includes the following metrics (in this list, hostname is the hostname of the daemon-set pod emitting the metric; peer is the component with which communication is occurring; and status is the result of the processing):
aspenmesh_packet_inspector_requests_total(counter): The total number of requests that Packet Inspector 1 nodes receive or send, partitioned by status, hostname, and peer (eitherfilteroranalysis)aspenmesh_packet_inspector_circular_buffer_bytes(gauge): The total number of bytes currently in use by the Packet Inspector 1 circular buffer, partitioned by hostnameaspenmesh_packet_inspector_connections_active(gauge): The active number of connections currently in use by Packet Inspector 1, partitioned by hostname and peer (eitherfilteroranalysis)aspenmesh_packet_inspector_queue_channel(gauge): The total number of messages currently in the Packet Inspector 1 queue channel, partitioned by hostnameaspenmesh_packet_inspector_request_bytes_total(summary): The total number of bytes that Packet Inspector 1 nodes receive or send, partitioned by status, hostname, and peer (eitherfilteroranalysis)aspenmesh_packet_inspector_total_duration_ms(summary): The total number of milliseconds spent processing by Packet Inspector 1, partitioned by hostname and peer (one offilter,analysis,combined, ordropped)aspenmesh_packet_inspector_analysis_processing_ms(summary): The number of milliseconds spent waiting by Packet Inspector 1 on the analysis service, partitioned by hostname
AM-3880: Increased the maximum number of concurrent messages that each Packet Inspector 1 daemon-set pod can send to the analysis service from 50 to 200 and increased the related default from 5 to 20.
AM-3902: Improved debug logging for the Packet Inspector 1 filter and daemon-set process.
Known issues#
AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:
$ istioctl x create-remote-secret --name=cluster1 error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
AM-3547: Pods with Istio sidecars get evicted when a node runs low on storage because they don’t request ephemeral storage.
Download#
Use either of the following methods to download the release archive file: