The value of production LTS support: zero-day response to Istio CVEs
Istio support for CVEs
We often talk about zero-day attacks and exploits in the context of cyber-security and operations, but how often do you hear about a zero-day response to Common Vulnerabilities and Exposures (CVEs) in the IT industry?
Here at Solo we have provided fixes within 24 hours to high severity CVEs in Istio, our FIPS-ready version, and even backported the fix with Long Term Support (LTS) into the 1.8 version for customers who hadn’t been able to upgrade as yet. This is just one of many examples of the value of being a Solo customer and showcases our leadership in security, open source contributions, and commitment to making our customers’ lives that much easier. You can read more about our enterprise production support offerings here.
On June 24th, there was a new High (CVSS score 9.1) CVE announced in upstream Istio, which Solo provides custom builds for as part of the Gloo Mesh Enterprise license. Details on the upstream Istio vulnerabilities can be found here: https://istio.io/latest/news/
CVE(s) Severity
High (CVSS score 9.1)
Istio support for CVEs details
The Istio Gateway and Destination Rule can load private keys and certificates from Kubernetes secrets via the credentialName configuration. For Istio 1.8 and above, the secrets are conveyed from Istiod to gateways or workloads via the XDS API.
In the above approach, a gateway or workload deployment should only be able to access credentials (TLS certificates and private keys) stored in the Kubernetes secrets within its namespace. However, a bug in Istiod permits an authorized client the ability to access and retrieve any TLS certificate and private key cached in Istiod.
At Solo.io we continue our commitment to serve our customers and provide the best Istio support available. Our engineering team has worked expeditiously on releasing a fix to all affected versions of our Istio delivery in record time. Our patch was available prior to public notification by Istio.
Products Affected
- Istio tags 1.8 – 1.10 including FIPS that is part of the Gloo Mesh Enterprise License
Fix Versions
As part of Solo’s N-4 long term Istio support, Solo has backported the changes to all affected versions of Istio
- Istio
- 1.8.6 → 1.8.6-patch1
- 1.8.6-fips → 1.8.6-solo-patch1-fips
- 1.9.5 → 1.9.6
- 1.9.5-fips → 1.9.6-fips
- 1.10.1 → 1.10.2
- 1.10.1-fips → 1.10.2-fips
Suggested actions
We recommend that organizations upgrade to the latest patch versions of Istio (as listed above) adding the necessary tags following our installation guides available here:
- Gloo Mesh Istio without FIPS:
https://docs.solo.io/gloo-mesh/latest/setup/gloo_mesh_ istio/ - Gloo Mesh Istio with FIPS:
https://docs.solo.io/gloo-mesh/latest/setup/istio_fips/
Solo.io is part of the list of vendors that receive information about Istio security vulnerabilities before they are made public. We have been working to get these fixes into Gloo and Istio as soon as details were made available. The patches were released within the hour of the post embargo announcement.
Please refer to the Gloo Mesh Istio documentation for more information. For additional questions or assistance please contact us or your Solo.io representative.
