Aspen Mesh Carrier-Grade 1.14.6-am9 release notes

Introduction

These release notes describe the differences between Aspen Mesh Carrier-Grade 1.14.6-am7 and 1.14.6-am9.

Supported platforms

This release is officially supported on these platforms and versions:

Platform	Version	Recommended Helm version
OpenShift	4.12	3.13
OpenShift	4.14	3.14

Istio proxy (Envoy) version

1.22

Related Packet Inspector IDD versions

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.7

Security updates

Note

In addition to fixing the specific vulnerabilities listed below, fixed vulnerabilities in the Go dependencies.

Istio

• Changes to Istio CNI RBAC permissions (no official CVE)

Istio proxy (Envoy)

• CVE-2024-23324 (CVSS score 8.6, High): Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata.

• CVE-2024-23325 (CVSS score 7.5, High): Envoy crashes when using an address type that isn’t supported by the OS.

• CVE-2024-23327 (CVSS score 7.5, High): Crash in proxy protocol when command type of LOCAL.

• CVE-2024-23322 (CVSS score 5.9, Moderate): Envoy crashes when idle and request per try timeout occur within the backoff interval.

• CVE-2024-23323 (CVSS score 4.3, Moderate): Excessive CPU usage when URI template matcher is configured using regex.

Aspen Mesh features

(No security updates)

Other changes

Istio

(No changes)

Aspen Mesh features

• ASM-4500: Fixed an issue where Envoy responds with a 502 (Bad Gateway) error when a downstream or upstream header it receives includes a field whose value starts or ends with an ASCII whitespace character. Implemented the fix by disabling the following RFC 9113 field validation (for backward compatibility):

  “A field value MUST NOT start or end with an ASCII whitespace character (ASCII SP or HTAB, 0x20 or 0x09).”

• ASM-4542: Fixed an issue where creating a duplicate virtual service that uses a different hostname capitalization causes Envoy to reject subsequent routing changes.

• ASM-4545: In Diameter packets captured by Packet Inspector 1, changed the value of the hop limit in IPv6 IP headers from 0 to 255, as specified in the IDD.

Known issues

(No known issues)

Download

Use either of the following methods to download the release archive file:

• Script: Learn how to download Aspen Mesh using a script.

• Manual download: Use the link for your operating system:

  • Linux (hash)

  • macOS (hash)

  • Windows (hash)