Aspen Mesh Carrier-Grade 1.14.6-am5 release notes#

Introduction#

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am4 and 1.14.6-am5.

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.11

1.22

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.6

Note

In addition to fixing the specific vulnerabilities listed below, fixed several vulnerabilities in the Go, Envoy, and Istio dependencies.

(No security updates)

CVE-2023-35941 (CVSS score 8.6, High): OAuth2 credentials exploit with permanent validity.
CVE-2023-35944 (CVSS score 8.2, High): Incorrect handling of HTTP requests and responses with mixed case schemes in Envoy.
CVE-2023-35945 (CVSS score 7.5, High): HTTP/2 memory leak in nghttp2 codec.
CVE-2023-35942 (CVSS score 6.5, Moderate): gRPC access log crash caused by the listener draining.
CVE-2023-35943 (CVSS score 6.3, Moderate): CORS filter segfault when origin header is removed.

Note

These security updates are not included in the open source Istio 1.14.6 proxy.

(No security updates)

(No changes)

ASM-4046: Added a multitenancy configuration option. In a Kubernetes cluster with Aspen Mesh and one or more other Istio-based service meshes installed, multitenancy allows you to prevent Aspen Mesh from injecting sidecars in one or more namespaces labeled for automatic sidecar injection so another Istio-based service mesh can take responsibility for injecting sidecars.

To enable this feature, which is disabled by default:
1. Add the following information to your Aspen Mesh override values file:
```
multiTenancy:
  enabled: true
  namespacesToIgnoreForInjection:
```
2. Add a list of one or more namespaces to the namespacesToIgnoreForInjection field:
  
  Example
```
multiTenancy:
  enabled: true
  namespacesToIgnoreForInjection:
  - mesh-2-sidecars
  - mesh-3-sidecars
```
3. Perform a clean installation or an upgrade of Aspen Mesh.
ASM-4047: In the sample chart for the local-reply-modification filter, modified the custom logging fields.

ASM-4192: The Packet Inspector 1 aggregator service sometimes runs slowly when under load.
ASM-4191: When using Packet Inspector 1, malformed Diameter packets can cause the Istio proxy (Envoy) to crash.
ASM-4250: In OpenShift 4.12 and later, the runOnMaster configuration option for the Packet Inspector 1 aggregator service has no effect. When true, runOnMaster adds a toleration that overrides the node-role.kubernetes.io/master:NoSchedule taint on the control-plane node, allowing an aggregator pod to run on the control-plane node. In OpenShift 4.12 and later, the node-role.kubernetes.io/master:NoSchedule taint is replaced by the node-role.kubernetes.io/control-plane:NoSchedule taint, so the overriding toleration no longer works.
ASM-4263: In a dual-stack installation of Aspen Mesh with service entries with a protocol of TLS and multiple hosts, communication fails for some of the hosts when clients initiate communication over IPv6.
ASM-4265: In a dual-stack installation of Aspen Mesh, the workaround to allow a sidecar to reroute traffic to an application listening on the IPv6 localhost address (::1) (see also IstioIngressListener) fails to reroute traffic to the application.

Use either of the following methods to download the release archive file:

Script: Learn how to download Aspen Mesh using a script.
Manual download: Use the link for your operating system:
- Linux (hash)
- macOS (hash)
- Windows (hash)