Aspen Mesh Platform 1.21.6-am1 release notes

Introduction

These release notes describe the differences between Aspen Mesh 1.18.7-am1 and 1.21.6-am1.

Supported container-orchestration platforms

This release is officially supported on these container-orchestration platforms and versions:

Platform	Version	Recommended Helm version
Kubernetes	1.26	3.14
Kubernetes	1.27	3.15
Kubernetes	1.28	3.16
Kubernetes	1.29, 1.32	3.17
OpenShift	4.14	3.15
OpenShift	4.16	3.17

Istio proxy (Envoy) version

1.29.11

Related Packet Inspector IDD versions

The following versions of the interface design description (IDD) specify the behaviors of Packet Inspector 1 and 2 included in this release:

Product	IDD version
Packet Inspector 1	v1.11
Packet Inspector 2	v1.7

Security updates

Istio

(No security updates)

Note

Fixed vulnerabilities in Go (used by Istio).

Istio proxy (Envoy)

• CVE-2024-23324 (CVSS score 8.6, High): Ext auth can be bypassed when Proxy protocol filter sets invalid UTF-8 metadata.

• CVE-2024-45807 (CVSS score 7.5, High): oghttp2 may crash on OnBeginHeadersForStream.

• CVE-2024-38525 (CVSS score 7.5, Moderate): Datadog: Datadog tracer does not handle trace headers with Unicode characters.

• CVE-2024-34363 (CVSS score 7.5, High): Vulnerability in Envoy access log JSON formatter, that can lead to abnormal process termination.

• CVE-2024-32976 (CVSS score 7.5, High): Vulnerability in Brotli decompressor that can lead to infinite loop.

• CVE-2024-32475 (CVSS score 7.5, High): Abnormal termination when using auto_sni with :authority header longer than 255 characters.

• CVE-2024-27919 (CVSS score 7.5, High): HTTP/2: memory exhaustion due to CONTINUATION frame flood.

• CVE-2024-23327 (CVSS score 7.5, High): Crash in proxy protocol when command type of LOCAL.

• CVE-2024-23325 (CVSS score 7.5, High): Envoy crashes when using an address type that isn’t supported by the OS.

• CVE-2024-23322 (CVSS score 7.5, High): Envoy crashes when idle and request per try timeout occur within the backoff interval.

• CVE-2024-45810 (CVSS score 6.5, Moderate): Envoy crashes for LocalReply in HTTP async client.

• CVE-2024-45808 (CVSS score 6.5, Moderate): Lack of validation for REQUESTED_SERVER_NAME field for access loggers enables injection of unexpected content into access logs.

• CVE-2024-45806 (CVSS score 6.5, Moderate): Potential for x-envoy headers to be manipulated by external sources.

• CVE-2024-34362 (CVSS score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

• CVE-2024-32975 (CVSS score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

• CVE-2024-32974 (CVSS score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.

• CVE-2024-23326 (CVSS score 5.9, Moderate): Incorrect handling of responses to HTTP/1 upgrade requests that can lead to request smuggling.

• CVE-2024-34364 (CVSS score 5.7, Moderate): Unbounded memory consumption in ext_proc and ext_authz.

• CVE-2024-45809 (CVSS score 5.3, Moderate): JWT filter crash in the clear route cache with remote JWKs.

• CVE-2024-30255 (CVSS score 5.3, Moderate): HTTP/2: CPU exhaustion due to CONTINUATION frame flood.

• CVE-2024-23323 (CVSS score 4.3, Moderate): Excessive CPU usage when URI template matcher is configured using regex.

Note

The following Envoy CVE was fixed between open source Istio 1.18.7 and 1.21.6 but had already been fixed in an earlier version of Aspen Mesh. We’ve included it here for completeness.

• CVE-2023-44487 (1.14.6-am6)

Aspen Mesh Platform features

(No security updates)

Other changes

Istio

• Istio 1.21.6

• Istio 1.21.5

• Istio 1.21.4

• Istio 1.21.3

• Istio 1.21.2

• Istio 1.21.1

• Istio 1.21.0

• Istio 1.20.8

• Istio 1.20.7

• Istio 1.20.6

• Istio 1.20.5

• Istio 1.20.4

• Istio 1.20.3

• Istio 1.20.2

• Istio 1.20.1

• Istio 1.20.0

• Istio 1.19.10 (security updates only)

• Istio 1.19.9

• Istio 1.19.8

• Istio 1.19.7

• Istio 1.19.6

• Istio 1.19.5

• Istio 1.19.4

• Istio 1.19.3 (security updates only)

• Istio 1.19.2 (not released)

• Istio 1.19.1

• Istio 1.19.0

Aspen Mesh Platform features

• ASM-4827: The Helm charts in the Aspen Mesh Platform are now released in the Aspen Mesh Artifact Registry instead of in a downloadable archive file. For more information, see The Aspen Mesh Platform.

• ASM-4450: Removed the Aspen Mesh add-ons, which are no longer supported, from the Aspen Mesh Platform.

• ASM-3915: Added istio-csr to Aspen Mesh, which allows you to use open source cert-manager as a certificate authority in addition to Istiod and Citadel.

Known issues

• ASM-5122: On OpenShift 4.16 and Kubernetes 1.32, the script for verifying that your cluster meets the Aspen Mesh installation prerequisites (tools/verify-installation-prerequisites.sh in the Aspen Mesh Platform chart directory) fails because it uses a kubectl command option that is no longer supported (OpenShift 4.14 is not affected).

  To work around this issue, edit the script to change kubectl version --short to kubectl version.