Security bulletins

A malicious client is able to construct credentials with permanent validity in some specific scenarios. For example, the combination of host and expiration time in the HMAC payload can be always valid in OAuth2 filter's HMAC check.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than

• 1.17.4
• 1.16.6
• 1.15.7

Upgrade your cluster to one of the following patched versions:

• 1.17.5-asm.0
• 1.16.7-asm.0
• 1.15.7-asm.23

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above.

High

CVE-2023-35941

gRPC access loggers using the listener's global scope can cause a use-after-free crash when the listener is drained. This can be triggered by an LDS update with the same gRPC access log configuration.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than

• 1.17.4
• 1.16.6
• 1.15.7

Upgrade your cluster to one of the following patched versions:

• 1.17.5-asm.0
• 1.16.7-asm.0
• 1.15.7-asm.23

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above.

Medium

CVE-2023-35942

If origin header is configured to be removed with request_headers_to_remove: origin, CORS filter will segfault and crash Envoy.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than

• 1.17.4
• 1.16.6
• 1.15.7

Upgrade your cluster to one of the following patched versions:

• 1.17.5-asm.0
• 1.16.7-asm.0
• 1.15.7-asm.23

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above.

Medium

CVE-2023-35943

Attackers can send mixed scheme requests to bypass some scheme checks in Envoy. For example, if a request with mixed scheme htTp is sent to the OAuth2 filter, it will fail the exact-match checks for http, and inform the remote endpoint the scheme is https, thus potentially bypassing OAuth2 checks specific to HTTP requests.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than

• 1.17.4
• 1.16.6
• 1.15.7

Upgrade your cluster to one of the following patched versions:

• 1.17.5-asm.0
• 1.16.7-asm.0
• 1.15.7-asm.23

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above.

High

CVE-2023-35944

A specifically crafted response from an untrusted upstream service can cause a denial of service through memory exhaustion. This is caused by Envoy's HTTP/2 codec which may leak a header map and bookkeeping structures upon receiving RST_STREAM immediately followed by the GOAWAY frames from an upstream server.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than

• 1.17.4
• 1.16.6
• 1.15.7

Upgrade your cluster to one of the following patched versions:

• 1.17.4-asm.2
• 1.16.6-asm.3
• 1.15.7-asm.21

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh 1.14 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to ASM 1.15 or above.

High

CVE-2023-35945

If Envoy is running with the OAuth filter enabled exposed, a malicious actor could construct a request which would cause denial of service by crashing Envoy.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.14 or above.

Medium

CVE-2023-27496

The attacker can use this vulnerability to bypass auth checks when ext_authz is used.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh} 1.14 or above.

Medium

CVE-2023-27488

Envoy configuration must also include an option to add request headers that were generated using inputs from the request, i.e. the peer certificate SAN.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.14 or above.

High

CVE-2023-27493

Attackers can send large request bodies for routes that have Lua filter enabled and trigger crashes.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.14 or above.

Medium

CVE-2023-27492

Attackers can send specifically crafted HTTP/2 or HTTP/3 requests to trigger parsing errors on HTTP/1 upstream service.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.14 or above.

Medium

CVE-2023-27491

The header x-envoy-original-path should be an internal header, but Envoy does not remove this header from the request at the beginning of request processing when it is sent from an untrusted client.

What should I do?

Your clusters are impacted if they use Anthos Service Mesh patch versions earlier than:

• 1.16.4
• 1.15.7
• 1.14.6

Upgrade your cluster to one of the following patched versions:

• 1.16.4-asm.2
• 1.15.7-asm.1
• 1.14.6-asm.11

If you're using Anthos Service Mesh v1.13 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.14 or above.

High

CVE-2023-27487

The Istio control plane istiod is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.14.4, 1.13.8, or 1.12.9.

If you are running standalone Anthos Service Mesh, upgrade your cluster to one of the following patched versions:

• If you're using Anthos Service Mesh 1.14, upgrade to v1.14.4-asm.2
• If you're using Anthos Service Mesh 1.13, upgrade to v1.13.8-asm.4
• If you're using Anthos Service Mesh 1.12, upgrade to v1.12.9-asm.3

If you are running managed Anthos Service Mesh, your system will be automatically updated within the next few days.

If you're using Anthos Service Mesh v1.11 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.12 or later.

High

CVE-2022-39278

Istio data plane can potentially access memory unsafely when the Metadata Exchange and Stats extensions are enabled.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises).

High

CVE-2022-31045

Data can exceed intermediate buffer limits if a malicious attacker passes a small highly compressed payload (also known as a zip bomb attack).

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Although Anthos Service Mesh does not support Envoy filters, you could be impacted if you use a decompress filter.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises).

Envoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them.

There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1.

High

CVE-2022-29225

Potential null pointer dereference in GrpcHealthCheckerImpl.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises).

Envoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them.

There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1.

Medium

CVE-2021-29224

OAuth filter allows trivial bypass.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Although Anthos Service Mesh does not support Envoy filters, you could be impacted if you use an OAuth filter.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises).

Envoy users managing their own Envoys also use the OAuth filter should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them.

There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1.

Critical

CVE-2021-29226

OAuth filter can corrupt memory (earlier versions) or trigger an ASSERT() (later versions).

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Although Anthos Service Mesh does not support Envoy filters, you could be impacted if you use an OAuth filter.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later.

Envoy users managing their own Envoys also use the OAuth filter should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them.

There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1.

High

CVE-2022-29228

Internal redirects crash for requests with body or trailers.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.13.4-asm.4, 1.12.7-asm.2, or 1.11.8-asm.4.

Upgrade your cluster to one of the following patched versions:

• 1.13.4-asm.4
• 1.12.7-asm.2
• 1.11.8-asm.4

If you're using Anthos Service Mesh v1.10 or earlier, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.11 or later. For more information, see Upgrading from earlier versions (GKE or Upgrading from earlier versions (on-premises).

Envoy users managing their own Envoys should ensure that they are using Envoy release 1.22.1. Envoy users managing their own Envoys build the binaries from a source like GitHub and deploy them.

There's no action to be taken by users who run managed Envoys (Google Cloud provides the Envoy binaries), for which cloud products will switch to 1.22.1.

High

CVE-2022-29227

The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017 but does not require any authentication from the attacker.

What should I do?

All Anthos Service Mesh versions are impacted by this CVE.

Note: If you are using Managed Control Plane, this vulnerability has already been fixed and you are not impacted.

Upgrade your cluster to one of the following patched versions:

• 1.12.5-asm.0
• 1.11.8-asm.0
• 1.10.6-asm.2

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

High

CVE-2022-24726

Istiod crashes upon receiving requests with a specially crafted authorization header.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.

Note: If you are using Managed Control Plane, this vulnerability has already been fixed and you are not impacted.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

High

CVE-2022-23635

Potential null pointer dereference when using JWT filter safe_regex match.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.
• Although Anthos Service Mesh do not support Envoy filters, you could be impacted if you use JWT filter regex.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

Medium

CVE-2021-43824

Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.
• Although Anthos Service Mesh do not support Envoy filters, you could be impacted if you use a decompress filter.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

Medium

CVE-2021-43825

Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.
• Although Anthos Service Mesh do not support Envoy filters, you could be impacted if you use a tunneling filter.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

Medium

CVE-2021-43826

Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.
• All Anthos Service Mesh services using mTLS are impacted by this CVE.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

High

CVE-2022-21654

Incorrect handling of internal redirects to routes with a direct response entry.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1, 1.11.7-asm.1, or 1.10.6-asm.1.
• Although Anthos Service Mesh do not support Envoy filters, you could be impacted if you use a direct response filter.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1
• 1.10.6-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

High

CVE-2022-21655

Stack exhaustion when a cluster is deleted via Cluster Discovery Service.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.12.4-asm.1 or 1.11.7-asm.1.

Upgrade your cluster to one of the following patched versions:

• 1.12.4-asm.1
• 1.11.7-asm.1

If you're using Anthos Service Mesh v1.9 or below, your release has reached end of life and is no longer supported. These CVE fixes have not been backported. You should upgrade to Anthos Service Mesh 1.10 or above.

Medium

CVE-2022-23606

Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass Istio’s URI path-based authorization policies.

For example, an Istio authorization policy denies requests sent to the URI path /user/profile. In the vulnerable versions, a request with the URI path /user/profile#section1 bypasses the deny policy and routes to the backend (with the normalized URI path /user/profile%23section1), which leads to a security incident.

This fix depends on a fix in Envoy, which is associated with CVE-2021-32779.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
• It uses authorization policies with DENY actions and operation.paths, or ALLOW actions and operation.notPaths.

Upgrade your cluster to one of the following patched versions:

• 1.10.4-asm.6
• 1.9.8-asm.1
• 1.8.6-asm.8
• 1.7.8-asm.10

With the new versions, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.

If you opt-out of this new behavior, the fragment section in the URI is kept. To opt-out, you can configure your installation as follows:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: opt-out-fragment-cve-fix
  namespace: istio-system
spec:
  meshConfig:
    defaultConfig:
      proxyMetadata:
        HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false"

Note: Opting out of this behavior makes your cluster vulnerable to this CVE.

High

CVE-2021-39156

Istio contains a remotely exploitable vulnerability where an HTTP request could potentially bypass an Istio authorization policy when using rules based on hosts or notHosts.

In the vulnerable versions, the Istio authorization policy compares the HTTP Host or :authority headers in a case-sensitive manner, which is inconsistent with RFC 4343. For example, the user could have an authorization policy that rejects requests with host secret.com, but the attacker can bypass this by sending the request at hostname Secret.com. The routing flow routes the traffic to the backend for secret.com, which causes a security incident.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
• It uses authorization policies with DENY actions based on operation.hosts or ALLOW actions based on operation.notHosts.

Upgrade your cluster to one of the following patched versions:

• 1.10.4-asm.6
• 1.9.8-asm.1
• 1.8.6-asm.8
• 1.7.8-asm.10

This mitigation makes sure that the HTTP Host or :authority headers are evaluated against the hosts or notHosts specs in the authorization policies in a case-insensitive manner.

High

CVE-2021-39155

Envoy contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do an incomplete authorization policy check when the ext_authz extension is used. When a request header contains multiple values, the external authorization server will only see the last value of the given header.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
• It uses the External Authorization feature.

Upgrade your cluster to one of the following patched versions:

• 1.10.4-asm.6
• 1.9.8-asm.1
• 1.8.6-asm.8
• 1.7.8-asm.10

High

CVE-2021-32777

Envoy contains a remotely exploitable vulnerability that affects Envoy's decompressor, json-transcoder, or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally.

What should I do?

Your cluster is impacted if both of the following are true:

• It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
• It uses EnvoyFilters.

Upgrade your cluster to one of the following patched versions:

• 1.10.4-asm.6
• 1.9.8-asm.1
• 1.8.6-asm.8
• 1.7.8-asm.10

High

CVE-2021-32781

Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.

Upgrade your cluster to one of the following patched versions:

• 1.10.4-asm.6
• 1.9.8-asm.1

Note: If you are using Anthos Service Mesh 1.8 or earlier, please upgrade to the latest patch versions of Anthos Service Mesh 1.9 and above to mitigate this vulnerability.

High

CVE-2021-32778

Envoy contains a remotely exploitable vulnerability where an untrusted upstream service could cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0.

What should I do?

Your cluster is impacted if it uses Anthos Service Mesh 1.10 with a patch version earlier than 1.10.4-asm.6.

Upgrade your cluster to the following patch version:

• 1.10.4-asm.6

High

CVE-2021-32780

The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS.

Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. This security vulnerability only impacts the 1.8 and 1.9 minor releases of Anthos Service Mesh.

What should I do?

Your cluster is impacted if ALL of the following conditions are true:

• It is using a 1.9.x version prior to 1.9.6-asm.1 or a 1.8.x prior to 1.8.6-asm.4.
• It has defined Gateways or DestinationRules with the credentialName field specified.
• It does not specify the istiod flag PILOT_ENABLE_XDS_CACHE=false.

Upgrade your cluster to one of the following patched versions:

• 1.9.6-asm.1
• 1.8.6-asm.4

High

CVE-2021-34824

Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

What should I do?

This vulnerability impacts only usage of the AUTO_PASSTHROUGH Gateway type, which is typically only used in multi-network, multi-cluster deployments.

Detect the TLS mode of all Gateways in the cluster with the following command:

kubectl get gateways.networking.istio.io -A -o \
  "custom-columns=NAMESPACE:.metadata.namespace, \
  NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode"

If the output shows any AUTO_PASSTHROUGH Gateways, you could be impacted.

Update your clusters to the latest Anthos Service Mesh versions:

• 1.9.5-asm.2
• 1.8.6-asm.3
• 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

High

CVE-2021-31921

Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

In a scenario where an Istio cluster administrator defines an authorization DENY policy to reject the request at path "/admin", a request sent to the URL path "//admin" will NOT be rejected by the authorization policy.

According to the RFC 3986, the path "//admin" with multiple slashes should technically be treated as a different path from the "/admin". However, some backend services choose to normalize the URL paths by merging multiple slashes to a single slash. This can result in a bypass of the authorization policy ("//admin" does not match "/admin"), and a user can access the resource at path "/admin" in the backend.

What should I do?

Your cluster is impacted by this vulnerability if you have authorization policies using "ALLOW action + notPaths field" or "DENY action + paths field" patterns. These patterns are vulnerable to unexpected policy bypasses and you should upgrade to fix the security issue ASAP.

The following is an example of vulnerable policy that uses "DENY action + paths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-path-admin
spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["/admin"]

The following is another example of vulnerable policy that uses "ALLOW action + notPaths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-path-not-admin
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        notPaths: ["/admin"]

Your cluster is not impacted by this vulnerability if:

• You don't have authorization policies.
• Your authorization policies don't define paths or notPaths fields.
• Your authorization policies use "ALLOW action + paths field" or "DENY action + notPaths field" patterns. These patterns could only cause unexpected rejection instead of policy bypasses.

Upgrading is optional for these cases.

Update your clusters to the latest supported Anthos Service Mesh versions*. These versions support configuring the Envoy proxies in the system with more normalization options:

• 1.9.5-asm.2
• 1.8.6-asm.3
• 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

Follow the Istio security best practices guide to configure your authorization policies.

High

CVE-2021-31920

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28682, CVE-2021-28683, and CVE-2021-29258), that could allow an attacker to crash Envoy and potentially render parts of the cluster offline and unreachable.

This impacts delivered services such as Anthos Service Mesh.

What should I do?

To fix these vulnerabilities, upgrade your Anthos Service Mesh bundle to one of the following patched versions:

• 1.9.3-asm.2
• 1.8.5-asm.2
• 1.7.8-asm.1
• 1.6.14-asm.2

For more information, see the Anthos Service Mesh release notes.

High

CVE-2021-28682
CVE-2021-28683
CVE-2021-29258