ISTIO-SECURITY-2020-007

Multiple denial of service vulnerabilities in Envoy.

Jun 30, 2020

CVE-2020-8663 is addressed in Envoy by adding a configurable limit on downstream connections. The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.

Disclosure Details
CVE(s)CVE-2020-12603
CVE-2020-12605
CVE-2020-8663
CVE-2020-12604
CVSS Impact Score7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases1.5 to 1.5.6
1.6 to 1.6.3

Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:

Mitigation

  1. Create a config map by downloading custom-bootstrap-runtime.yaml. Update global_downstream_max_connections in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.

    $ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
    
  2. Patch the ingress gateway deployment to use the above configuration. Download gateway-patch.yaml and apply it using the following command.

    $ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch "$(cat gateway-patch.yaml)"
    
  3. Confirm that the new limits are in place.

    $ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system  -o jsonpath="{.items[0].metadata.name}")
    $ kubectl --namespace istio-system exec -i -t  "${ISTIO_INGRESS_PODNAME}" -c istio-proxy -- curl -sS http://localhost:15000/runtime
    
    {
     "entries": {
      "overload.global_downstream_max_connections": {
        "layer_values": [
          "",
          "250000",
          ""
        ],
        "final_value": "250000"
      }
     },
     "layers": [
      "static_layer_0",
      "admin"
     ]
    }
    

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.