Hello Envoy Community,--We would like to announce the availability of Envoy 1.18.0, 1.17.2, 1.16.3, 1.15.4, and 1.14.7!(If you are into cool contributor stats check out https://envoy.devstats.cncf.io/)These versions contain fixes for the following CVE(s):Upgrading to 1.18.0, 1.17.2, 1.16.3, 1.15.4, or 1.14.7 is encouraged to fix these issues.
- CVE-2021-28682 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable integer overflow via a very large grpc-timeout value causes undefined behavior.
- CVE-2021-28683 (CVSS score 7.5, High): Envoy through 1.17.1 and 1.16.2 contains a remotely exploitable crash in TLS when an unknown TLS alert code is received.
- CVE-2021-29258 (CVSS score 7.5, High): Envoy through 1.17.1, 1.16.2, 1.15.3, and 1.14.6 contains a remotely exploitable crash in Envoy's HTTP2 Metadata, when an empty METADATA map is sent.
Documentation for all versions can be found at https://www.envoyproxy.io/docs.
For v1.18.0:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.18.0
Docker images: docker pull envoyproxy/envoy:v1.18.0
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.18.0.rst
For v1.17.2:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.17.2
Docker images: docker pull envoyproxy/envoy:v1.17.2
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.17.2.rst
For v1.16.3:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.16.3
Docker images: docker pull envoyproxy/envoy:v1.16.3
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.16.3.rst
For v1.15.4:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.4
Docker images: docker pull envoyproxy/envoy:v1.15.4
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.15.4.rst
For v1.14.7:
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.7
Docker images: docker pull envoyproxy/envoy:v1.14.7
Release notes: https://github.com/envoyproxy/envoy/blob/master/docs/root/version_history/v1.14.7.rst
Checking whether you are vulnerable:
Run `envoy --version` and if it indicates a base version matching or older than 1.18.0, 1.17.2, 1.16.3, 1.15.4, or 1.14.7 you are running a vulnerable version.
Vulnerability Details
Integer overflow in large grpc-timeout values leads to unexpected timeout calculations (CVE-2021-28682):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-r22g-5f3x-xjgg
Crash when peer sends a TLS Alert with an unknown code (CVE-2021-28683):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-xw4q-6pj2-5gfg
Crash in HTTP2 when empty METADATA map triggers a reachable assertion (CVE-2021-29258):
https://github.com/envoyproxy/envoy/security/advisories/GHSA-rqvq-hxw5-776j
Thank you to Matt Klein, Rei Shimizu, Asra Ali, Adi Peleg, and Greg Greenway for making this release happen. A lot of work happens behind the scenes!
Cheers,
Tony Allen (on behalf of the Envoy security team and maintainers)
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/CAPAE%2Bbo4byWP_XDMfcwCPbebEg8TazxYxHgd9aG_sB6CqtzNNw%40mail.gmail.com.