Aspen Mesh Carrier-Grade 1.11.8-am3 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.11.8-am2 and 1.11.8-am3.

This release includes security updates.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.7–4.10	3.8

Security updates

Istio 1.11.8

• CVE-2022-31045 (CVSS score 5.9, Medium): Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access, resulting in undefined behavior or crashing. The Aspen Mesh team has reevaluated this security vulnerability and assigned it a CVSS score of 7.1 (High).

Istio 1.11.8 proxy (Envoy)

These Envoy CVEs do not directly impact Istio features:

• CVE-2022-29226 (CVSS score 10.0, Critical): OAuth filter allows trivial bypass The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.

• CVE-2022-29225 (CVSS score 7.5, High): Decompressors can be zip bombed Decompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload.

• CVE-2022-29227 (CVSS score 7.5, High): Internal redirect crash for requests with body/trailers Envoy internal redirects for requests with bodies or trailers are not safe if the redirect prompts an Envoy-generated local reply.

• CVE-2022-29228 (CVSS score 7.5, High): OAuth filter calls continueDecoding() from within decodeHeaders() The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.

• CVE-2022-29224 (CVSS score 5.9, Medium): Segfault in GrpcHealthCheckerImpl An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.

Aspen Mesh features

(No security updates)

Other changes

Istio 1.11.8

• SP-2341: Added a feature to allow client workloads without sidecars to communicate over mTLS with server workloads with sidecars whose peer-authentication policy’s mTLS mode is set to PERMISSIVE. Learn how to use this feature.

Istio 1.11.8 proxy (Envoy)

• AM44: Added a response-origin filter that adds a new HTTP header to a sidecar proxy’s 5xx error response, which allows a client (consumer) to determine whether the error originated within the sidecar or the application.

• SP-2205: Fixed an issue that resulted in only the first URI specified in a certificate being included in the x-forwarded-client-cert (XFCC) header.

• SP-2282: Added a socket-option filter that allows you to set the value of TCP_USER_TIMEOUT for the TCP connection between a sidecar proxy’s Packet Inspector 1 filter and a Packet Inspector 1 daemon-set pod. Setting a value for TCP_USER_TIMEOUT overrides the kernel’s standard timeout with a shorter timeout that can prevent a sidecar proxy from running out of memory and getting restarted by Kubernetes when transmitted data remains unacknowledged.

  By default, TCP_USER_TIMEOUT is enabled, and its value is 10,000 ms.

  To change the defaults, add the following information to your Aspen Mesh override values file and change the values of enabled or timeoutMilliseconds before you perform a clean installation or an upgrade:

  aspen-mesh-packet-inspector:
    tapFilterTcpUserTimeout:
      enabled: true
      timeoutMilliseconds: 10000
  

  To disable TCP_USER_TIMEOUT, set enabled to false. Disabling TCP_USER_TIMEOUT results in the kernel using a standard timeout of 15 minutes.

  To specify a different value for TCP_USER_TIMEOUT, set timeoutMilliseconds to another value.

Aspen Mesh features

• AM38: Implemented logic in the Packet Inspector 1 filter to infer the metadata destination port from the scheme header if the destination port wasn’t specified in the authority header. Also addressed an issue where the port value would not be set when a request had a 3gpp-sbi-target-apiroot header.

• AM48: Modified the Packet Inspector 1 aggregator service and filter to specify the sequence of captures and indicate the end of sequence for a transaction.

• AM64: Added a DNS controller to reduce DNS traffic and improve DNS functionality when using Istio service entries. Learn how to use this feature.

• SP-2319: Fixed an issue that resulted in Aspen Mesh deploying only one pod for Citadel.

Known issues

Istio 1.11.8 proxy (Envoy)

• CVE-2022-21656 (CVSS score 3.1, Low): X.509 subjectAltName matching (and nameConstraints) bypass

  Due to significant divergence in the affected source code between this and later versions of Envoy, it’s not feasible to implement the fix without destabilizing this version.

  If the certificate authorities (CAs) you use are limited to istiod and Citadel, Envoy is not exposed to this vulnerability because those CAs don’t create malformed certificates. If your ingress gateway serves certificates issued by a CA other than Citadel, ensure that the certificates are not malformed.

Aspen Mesh features

• AM-3069: OpenShift clusters using either the Multi-Primary or the Multi-Primary on different networks configuration for multicluster connectivity fail to create the remote secret with the following error:

  $ istioctl x create-remote-secret --name=cluster1
  
  error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
  
  error: could not get access token to read resources from local kube-apiserver: wrong number of secrets (2) in serviceaccount istio-system/istio-reader-service-account
  

• AM-3547: Pods with Istio sidecars get evicted when a node runs low on storage because they don’t request ephemeral storage.

• ASM-3699: When Aspen Mesh is in IPv4/IPv6 dual-stack mode on a dual-stack cluster, applications can’t reach hosts defined in service entries.

Instructions

Use these instructions, with the exception noted below:

• Clean-installation instructions

• Upgrade instructions

Exception: Socket-option filter

Delete a manually installed socket-option filter

Important

If you want to perform an upgrade and have previously installed the socket-option filter manually (without using Helm), uninstall the filter first (a new socket-option filter will be installed as part of the upgrade):

1. List any socket-option filters in the istio-system namespace:

   $ kubectl get envoyfilter --namespace istio-system -o json | \
       jq -r '.items[] | select(.spec.configPatches[0].patch.value
       .upstream_bind_config.socket_options[0].name==18).metadata.name'
   

2. Does the output show the name of a socket-option filter (typically http-capture-cfg)?

   • Yes: Go to step 3.

   • No: Stop. You can safely perform an upgrade because the filter is not installed.

3. Delete the socket-option filter:

   $ kubectl delete envoyfilter --namespace istio-system <filterName>
   

   You can now safely perform an upgrade.

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)