Security releases of Envoy 1.21.1, 1.20.2, 1.19.3 and 1.18.6 are now available
Ryan Hamilton
Hello Envoy Community,
The Envoy security team would like to announce the availability of Envoy 1.21.1, 1.20.2, 1.19.3 and 1.18.6.
This addresses the following CVE(s):
* CVE-2021-43824 (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer dereference when using JWT filter safe_regex match
* CVE-2021-43825 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
* CVE-2021-43826 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment
* CVE-2022-21654 (CVSS Score 7.3, High): Envoy 1.7.0 and later - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
* CVE-2022-21655 (CVSS Score 7.5, High): Envoy 1.21 and earlier - Incorrect handling of internal redirects to routes with a direct response entry
* CVE-2022-23606 (CVSS Score 4.4, Moderate): Envoy 1.20 and later - Stack exhaustion when a cluster is deleted via Cluster Discovery Service.
* CVE-2022-21656 (CVSS Score 3.1, Low): Envoy 1.20.1 and earlier - X.509 subjectAltName matching (and nameConstraints) bypass. IMPORTANT: Due to significant divergence in affected source code between Envoy versions 1.20 and earlier branches, it is not feasible to backport the fix for CVE-2022-21656 into the 1.19 or 1.18 stable branches without increasing the risk of destabilizing it. As such it will only be fixed in 1.20.
* CVE-2022-21657 (CVSS Score 3.1, Low): Envoy 1.20.1 and earlier - X.509 Extended Key Usage and Trust Purposes bypass
Upgrading to 1.21.1, 1.20.2, 1.19.3 or 1.18.6. is encouraged to fix these issues.
For v1.21.1:
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.21.1
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.21.1/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.21.1/
For v1.20.2:
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.20.2
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.20.2/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.20.2/
For v1.19.3:
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.19.3
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.19.3/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.19.3/
For v1.18.6:
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.18.6
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.18.6/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.18.6/
Note the Docker images and release notes are pending to CI progress so they might not be immediately available.
Checking whether you are vulnerable:
Run `envoy --version` and if it indicates a base version matching or older than 1.21.1, 1.20.2, 1.19.3 or 1.18.6 you are running a vulnerable version.
Thank you to Alyssa Wilk, Greg Greenway, Lizan Zhou, Matt Klein, Otto van der Schaaf, Pradeep Rao, Raul Gutierrez Segales, Ryan Sleevi, Tomasz Ziolkowski, Yan Avlasov for making this release. A lot of work happens behind the scenes!
Thanks,
Ryan Hamilton (on behalf of the Envoy security team and maintainers)
Ryan Hamilton
Due to an error in the release process, the version strings for the 1.20.2, 1.19.3 and 1.18.6 releases erroneously contain a "-dev" suffix. This is visible, for example, in the output from envoy --version. Envoy should work correctly, other than this quirk. We have updated the release process to ensure that this does not happen for future releases, but are sorry for the inconvenience.
Thanks,
Ryan Hamilton (on behalf of the Envoy security team and maintainers)