Aspen Mesh is announcing the release of 1.3.5 which addresses important Istio security updates. Below are the details of the security fixes taken from the Istio 1.3.5 security update.

Security Update: 

ISTIO-SECURITY-2019-006: A DoS vulnerability has been discovered in Envoy.

  • CVE-2019-18817: An infinite loop can be triggered in Envoy if the option continue_on_listener_filters_timeout is set to True, which is the case in Istio. This vulnerability could be leveraged for a DoS attack. 

Bug Fix:

  • Fixed Envoy listener configuration for TCP headless services. (Issue #17748)
  • Fixed an issue which caused stale endpoints to remain even when a deployment was scaled to 0 replicas. (Issue #14436)
  • Fixed Pilot to no longer crash when an invalid Envoy configuration is generated. (Issue #17266)
  • Fixed an issue with the destination_service_name label not getting populated for TCP metrics related to BlackHole/Passthrough clusters. (Issue #17271)
  • Fixed an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. This occurred when explicit ServiceEntries were configured for external services. (Issue #17759)

Minor Enhancements:

  • Added support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (Issue #17059)
  • Added PILOT_BLOCK_HTTP_ON_443 boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (Issue #16458)

Additionally, the Aspen Mesh 1.3.5 release contains bug fixes and minor enhancements from Istio release 1.3.4.  

The Aspen Mesh 1.3.5 binaries are available for download here.