ISTIO-SECURITY-2020-007

Security Bulletin

June 30, 2020 | 2 minute read

Disclosure Details
CVE(s)	CVE-2020-12603 CVE-2020-12605 CVE-2020-8663 CVE-2020-12604
CVSS Impact Score	7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases	1.5 to 1.5.6 1.6 to 1.6.3

Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:

CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.
- CVSS Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Mitigation

For Istio 1.5.x deployments: update to Istio 1.5.7 or later.
For Istio 1.6.x deployments: update to Istio 1.6.4 or later.

CVE-2020-8663 is addressed in Envoy by adding a configurable limit on downstream connections. The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.

Create a config map by downloading custom-bootstrap-runtime.yaml. Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.
```
$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
```
Patch the ingress gateway deployment to use the above configuration. Download gateway-patch.yaml and apply it using the following command.
```
$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
```

Confirm that the new limits are in place.

$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
$ kubectl --namespace istio-system exec -i -t  ${ISTIO_INGRESS_PODNAME} -c istio-proxy -- curl http://localhost:15000/runtime

{
"entries": {
 "overload.global_downstream_max_connections": {
  "layer_values": [
   "",
   "250000",
   ""
  ],
  "final_value": "250000"
 }
},
"layers": [
 "static_layer_0",
 "admin"
]
}

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.