Envoy v1.27.0 Released and Security release of Envoy [1.26.4, 1.25.9, 1.24.10, 1.23.12] is now available!!!

[Boteng Yao]

Hello Envoy Community,

We would like to announce the availability of Envoy: 1.26.4, 1.25.9, 1.24.10, and 1.23.12!!

Today we also tagged and released Envoy 1.27.0, and that means 1.23 has reached its end-of-life for release support.

These versions contain fixes for the following CVE(s) 

• CVE-2023-35941 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability in the OAuth2 filter of where allows a malicious client to bypass authentication and gain permanent access to the service by manipulating the HOST header and OauthExpires cookie.
  
• CVE-2023-35942 (CVSS score 6.5, Moderate): Envoy contains a use-after-free vulnerability in the gRPC access logger extension when the listener is drained, causing a crash and denial of service.
• CVE-2023-35944 (CVSS score 8.2, High): Envoy contains one vulnerability where it mishandles mixed-case schemes in HTTP/2, allowing some requests with mixed schemes to bypass certain checks and potentially impact the security of affected components like OAuth2, HTTP cache, and SSL redirect checks.
• CVE-2023-35943 (CVSS score 6.3, Moderate): Envoy contains one vulnerability in its HTTP CORS filter, where removing and deleting the origin header between decodeHeaders and encodeHeaders can lead to a segfault and crash in the filter, which can be mitigated by not removing the origin header in the configuration.

Upgrading to 1.27.0, 1.26.4, 1.25.9, 1.24.10, and 1.23.12 is encouraged to fix these issues.

Documentation for all versions can be found at https://www.envoyproxy.io/docs.

For v1.27.0:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.27.0
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.27.0 

Docs: https://www.envoyproxy.io/docs/envoy/v1.27.0/
Release notes: https://www.envoyproxy.io/docs/envoy/v1.27.0/version_history/version_history.html 

Summary of major changes of 1.27.0:

• New golang network filter
• Load shed points for rejecting requests under resource pressure
• Support for CONNECT-UDP (RFC 9298)
• Access log formatter for printing CEL expressions
• Open Telemetry compatible stats collector
• Deferred instantiation on supported stats structures to minimize memory usage.
• Allowlist of headers that ext_proc filter sends to the external service for processing
• New admin stats html bucket-mode detailed to generate all recorded buckets and summary percentiles.
• Added CEL (Common Expression Language) support to the universal matchers.
• Added support for hot-reloading CRL files when the file changes on disk.
• Added FIPS compliant build for arm64.

For v1.26.4:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.26.4
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.26.4
Release notes: https://www.envoyproxy.io/docs/envoy/v1.26.4/version_history/v1.26/v1.26.4

For v1.25.9:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.25.9
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.25.9
Release notes: https://www.envoyproxy.io/docs/envoy/v1.25.9/version_history/v1.25/v1.25.9

For v1.24.10:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.24.10
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.24.10
Release notes: https://www.envoyproxy.io/docs/envoy/v1.24.10/version_history/v1.24/v1.24.10

For v1.23.12:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.23.12
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.23.12
Release notes: https://www.envoyproxy.io/docs/envoy/v1.23.12/version_history/v1.23/v1.23.12

Note the Docker images and release notes are pending to CI progress so they might not be immediately available.

Checking whether you are vulnerable:
Run `envoy --version` and if it indicates a base version matching or older than 1.26.4, 1.25.9, 1.24.10, or 1.23.12 you are running a vulnerable version.

Thank you to Ryan Northey (@phlax), Kateryna Nezdolii, Yan Avlasov, Kevin Baichoo, Alyssa Wilk, Ryan Hamilton, Lizan Zhou, Erik Engberg, William Sears and Paul Gallagher for making this security release happen. A lot of work happens behind the scenes!

Since our 1.26.0 release we've had > 1.1k commits! You can find out more about what the community has accomplished in the release notes.
(If you are into cool contributor stats check out https://envoy.devstats.cncf.io/ for more details)

As always our thanks go out to all of our wonderful users, contributors, maintainers and backporters who are helping to make Envoy such a tremendous success.

Cheers,

Ryan Northey, Kateryna Nezdolii, Yan Avlasov and Boteng Yao (on behalf of the Envoy security team and maintainers)