Envoy 1.18.0 released with security releases 1.17.2, 1.16.3, 1.15.4, and 1.14.7

[Tony Allen]

Hello Envoy Community,

We would like to announce the availability of Envoy 1.18.0, 1.17.2, 1.16.3, 1.15.4, and 1.14.7!

(If you are into cool contributor stats check out https://envoy.devstats.cncf.io/)

These versions contain fixes for the following CVE(s):

• CVE-2021-28682 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable integer overflow via a very large grpc-timeout value causes undefined behavior.
• CVE-2021-28683 (CVSS score 7.5, High): Envoy through 1.17.1 and 1.16.2 contains a remotely exploitable crash in TLS when an unknown TLS alert code is received.
• CVE-2021-29258 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable crash in Envoy's HTTP2 Metadata, when an empty METADATA map is sent.

Upgrading to 1.18.0, 1.17.2, 1.16.3, 1.15.4, or 1.14.7 is encouraged to fix these issues.

Documentation for all versions can be found at https://www.envoyproxy.io/docs.

For v1.18.0:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.18.0
Docker images: docker pull envoyproxy/envoy:v1.18.0
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.18.0.rst

For v1.17.2:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.17.2
Docker images: docker pull envoyproxy/envoy:v1.17.2
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.17.2.rst

For v1.16.3:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.16.3
Docker images: docker pull envoyproxy/envoy:v1.16.3
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.16.3.rst

For v1.15.4:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.4
Docker images: docker pull envoyproxy/envoy:v1.15.4
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.15.4.rst

For v1.14.7:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.7
Docker images: docker pull envoyproxy/envoy:v1.14.7
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.14.7.rst

Checking whether you are vulnerable:
Run `envoy --version` and if it indicates a base version matching or older than 1.18.0, 1.17.2, 1.16.3, 1.15.4, or 1.14.7 you are running a vulnerable version.

Vulnerability Details

Integer overflow in large grpc-timeout values leads to unexpected timeout calculations (CVE-2021-28682):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-r22g-5f3x-xjgg

Crash when peer sends a TLS Alert with an unknown code (CVE-2021-28683):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-xw4q-6pj2-5gfg

Crash in HTTP2 when empty METADATA map triggers a reachable assertion (CVE-2021-29258):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rqvq-hxw5-776j

Thank you to Matt Klein, Rei Shimizu, Asra Ali, Adi Peleg, and Greg Greenway for making this release happen. A lot of work happens behind the scenes!

Cheers,
Tony Allen (on behalf of the Envoy security team and maintainers)

[Matt Klein]

Hi folks,

Getting the 1.18 release out was a bit of a rodeo, so we wound up at:

v1.18.2:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.18.2
Docker images: docker pull envoyproxy/envoy:v1.18.2
Release notes: https://www.envoyproxy.io/docs/envoy/v1.18.2/

The incremental commits have no production impact if you happened to snap the original release.

Thanks,

Matt

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/CAPAE%2Bbo4byWP_XDMfcwCPbebEg8TazxYxHgd9aG_sB6CqtzNNw%40mail.gmail.com.