Aspen Mesh Carrier-Grade 1.11.8-am1.1 release notes#
Introduction#
These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.8-am1 and 1.11.8-am1.1.
This release includes a security update.
Supported platforms#
This release is officially supported on these platforms and versions:
Platform |
Version |
Recommended Helm version |
|---|---|---|
OpenShift |
4.7 |
3.8 |
Security updates#
Istio 1.11.8#
CVE-2022-31045 (CVSS score 5.9, Medium): Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access, resulting in undefined behavior or crashing. The Aspen Mesh team has reevaluated this security vulnerability and assigned it a CVSS score of 7.1 (High).
Istio 1.11.8 proxy (Envoy)#
(No security updates)
Aspen Mesh features#
(No security updates)
Other changes#
Istio 1.11.8#
SP-2341: Added a feature to allow client workloads without sidecars to communicate over mTLS with server workloads with sidecars whose peer-authentication policy’s mTLS mode is set to
PERMISSIVE. Learn how to use this feature.
Istio 1.11.8 proxy (Envoy)#
(No changes)
Aspen Mesh features#
(No changes)
Known issues#
AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:
$ istioctl x create-remote-secret --name=cluster1 error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
AM-3547: Pods with Istio sidecars get evicted when a node runs low on storage because they don’t request ephemeral storage.
Download#
Use either of the following methods to download the release archive file: