Aspen Mesh Carrier-Grade 1.14.6-am2 release notes#

Introduction#

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am1 and 1.14.6-am2.

Supported platforms#

This release is officially supported on these platforms and versions:

Platform

Version

Recommended Helm version

OpenShift

4.12

3.11

Istio proxy (Envoy) version#

1.22

Security updates#

Istio#

(No security updates)

Istio proxy (Envoy)#

  • CVE-2023-27496 (CVSS score 8.2, High): Client may fake the header x-envoy-original-path.

  • CVE-2023-27491 (CVSS score 8.1, High): Envoy doesn’t escape HTTP header values.

  • CVE-2023-27487 (CVSS score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.

  • CVE-2023-27488 (CVSS score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.

  • CVE-2023-27493 (CVSS score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.

  • CVE-2023-27492 (CVSS score 4.8, Moderate): Crash when a large request body is processed in Lua filter.

Note

These security updates are not included in the open source Istio 1.14.6 proxy.

Aspen Mesh features#

(No security updates)

Other changes#

Istio#

(No changes)

Aspen Mesh features#

  • ASM-3695: Fixed an issue where, when using Multus CNI and the Istio CNI plugin, Aspen Mesh overwrites existing pod annotations during sidecar injection.

  • ASM-3699: Fixed an issue where, when Aspen Mesh is in IPv4/IPv6 dual-stack mode on a dual-stack cluster, applications can’t reach hosts defined in service entries.

Known issues#

  • ASM-3767: In IPv4/IPv6 dual-stack mode, when non-dual-stack services are exposed via an ingress gateway, the gateway pods don’t become ready.

  • ASM-4192: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.

  • ASM-4191: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.

  • ASM-4250: In OpenShift 4.12 and later, the runOnMaster configuration option for the Packet Inspector 1 aggregator service has no effect. When true, runOnMaster adds a toleration that overrides the node-role.kubernetes.io/master:NoSchedule taint on the control-plane node, allowing an aggregator pod to run on the control-plane node. In OpenShift 4.12 and later, the node-role.kubernetes.io/master:NoSchedule taint is replaced by the node-role.kubernetes.io/control-plane:NoSchedule taint, so the overriding toleration no longer works.

  • ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.

  • ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

Download#

Use either of the following methods to download the release archive file: