From f670f7a13a85e44a00e2e52fe2a594a2f61af827 Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Mon, 12 Feb 2024 13:19:31 -0500 Subject: [PATCH] security: Bump Envoy versions to address CVEs --- .changelog/20589.txt | 3 +++ .../nightly-test-integrations-1.15.x.yml | 4 ++-- .../nightly-test-integrations-1.16.x.yml | 6 ++--- .../nightly-test-integrations-1.17.x.yml | 4 ++-- .../workflows/nightly-test-integrations.yml | 6 ++--- .../workflows/test-integrations-windows.yml | 2 +- .github/workflows/test-integrations.yml | 8 +++---- .../xdscommon/envoy_versioning_test.go | 6 ++--- envoyextensions/xdscommon/proxysupport.go | 6 ++--- .../content/docs/connect/proxies/envoy.mdx | 22 ++++++++++--------- 10 files changed, 36 insertions(+), 31 deletions(-) create mode 100644 .changelog/20589.txt diff --git a/.changelog/20589.txt b/.changelog/20589.txt new file mode 100644 index 0000000000..533dc4cc4c --- /dev/null +++ b/.changelog/20589.txt @@ -0,0 +1,3 @@ +```release-note:security +mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) +``` diff --git a/.github/workflows/nightly-test-integrations-1.15.x.yml b/.github/workflows/nightly-test-integrations-1.15.x.yml index 12b3614d45..3889c7246b 100644 --- a/.github/workflows/nightly-test-integrations-1.15.x.yml +++ b/.github/workflows/nightly-test-integrations-1.15.x.yml @@ -74,7 +74,7 @@ jobs: # this is further going to multiplied in envoy-integration tests by the # other dimensions in the matrix. Currently TOTAL_RUNNERS would be # 14 based on these values: - # envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"] + # envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"] # xds-target: ["server", "client"] TOTAL_RUNNERS: 7 JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]' @@ -109,7 +109,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"] + envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"] xds-target: ["server", "client"] test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }} env: diff --git a/.github/workflows/nightly-test-integrations-1.16.x.yml b/.github/workflows/nightly-test-integrations-1.16.x.yml index 3c0f0274dd..d6cf2aa875 100644 --- a/.github/workflows/nightly-test-integrations-1.16.x.yml +++ b/.github/workflows/nightly-test-integrations-1.16.x.yml @@ -74,9 +74,9 @@ jobs: # this is further going to multiplied in envoy-integration tests by the # other dimensions in the matrix. Currently TOTAL_RUNNERS would be # multiplied by 8 based on these values: - # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"] + # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"] # xds-target: ["server", "client"] - TOTAL_RUNNERS: 4 + TOTAL_RUNNERS: 8 JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]' run: | NUM_RUNNERS=$TOTAL_RUNNERS @@ -109,7 +109,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"] + envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"] xds-target: ["server", "client"] test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }} env: diff --git a/.github/workflows/nightly-test-integrations-1.17.x.yml b/.github/workflows/nightly-test-integrations-1.17.x.yml index a0c63b7108..6af47c8adf 100644 --- a/.github/workflows/nightly-test-integrations-1.17.x.yml +++ b/.github/workflows/nightly-test-integrations-1.17.x.yml @@ -74,7 +74,7 @@ jobs: # this is further going to multiplied in envoy-integration tests by the # other dimensions in the matrix. Currently TOTAL_RUNNERS would be # multiplied by 8 based on these values: - # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"] + # envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"] # xds-target: ["server", "client"] TOTAL_RUNNERS: 4 JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]' @@ -109,7 +109,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"] + envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"] xds-target: ["server", "client"] test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }} env: diff --git a/.github/workflows/nightly-test-integrations.yml b/.github/workflows/nightly-test-integrations.yml index 4b23cbd052..6dd5d37ed0 100644 --- a/.github/workflows/nightly-test-integrations.yml +++ b/.github/workflows/nightly-test-integrations.yml @@ -71,9 +71,9 @@ jobs: # this is further going to multiplied in envoy-integration tests by the # other dimensions in the matrix. Currently TOTAL_RUNNERS would be # multiplied by 8 based on these values: - # envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"] + # envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"] # xds-target: ["server", "client"] - TOTAL_RUNNERS: 4 + TOTAL_RUNNERS: 8 JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]' run: | NUM_RUNNERS=$TOTAL_RUNNERS @@ -106,7 +106,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"] + envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"] xds-target: ["server", "client"] test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }} env: diff --git a/.github/workflows/test-integrations-windows.yml b/.github/workflows/test-integrations-windows.yml index 30ae62bc00..ef10e6e578 100644 --- a/.github/workflows/test-integrations-windows.yml +++ b/.github/workflows/test-integrations-windows.yml @@ -62,7 +62,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: [ "1.28.0" ] + envoy-version: [ "1.28.1" ] xds-target: [ "server", "client" ] env: ENVOY_VERSION: ${{ matrix.envoy-version }} diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml index 8a2dffa84b..58e477fd15 100644 --- a/.github/workflows/test-integrations.yml +++ b/.github/workflows/test-integrations.yml @@ -270,9 +270,9 @@ jobs: # this is further going to multiplied in envoy-integration tests by the # other dimensions in the matrix. Currently TOTAL_RUNNERS would be # multiplied by 2 based on these values: - # envoy-version: ["1.28.0"] + # envoy-version: ["1.28.1"] # xds-target: ["server", "client"] - TOTAL_RUNNERS: 4 + TOTAL_RUNNERS: 2 JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]' run: | NUM_RUNNERS=$TOTAL_RUNNERS @@ -305,7 +305,7 @@ jobs: strategy: fail-fast: false matrix: - envoy-version: ["1.28.0"] + envoy-version: ["1.28.1"] xds-target: ["server", "client"] test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }} env: @@ -395,7 +395,7 @@ jobs: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read env: - ENVOY_VERSION: "1.28.0" + ENVOY_VERSION: "1.28.1" CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi" steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/envoyextensions/xdscommon/envoy_versioning_test.go b/envoyextensions/xdscommon/envoy_versioning_test.go index ed77c00eb2..f30ced64ca 100644 --- a/envoyextensions/xdscommon/envoy_versioning_test.go +++ b/envoyextensions/xdscommon/envoy_versioning_test.go @@ -152,9 +152,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) { */ for _, v := range []string{ "1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11", - "1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", - "1.27.0", "1.27.1", "1.27.2", - "1.28.0", + "1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7", + "1.27.0", "1.27.1", "1.27.2", "1.27.3", + "1.28.0", "1.28.1", } { cases[v] = testcase{expect: SupportedProxyFeatures{}} } diff --git a/envoyextensions/xdscommon/proxysupport.go b/envoyextensions/xdscommon/proxysupport.go index 22384f71cc..2b9f566c65 100644 --- a/envoyextensions/xdscommon/proxysupport.go +++ b/envoyextensions/xdscommon/proxysupport.go @@ -12,9 +12,9 @@ import "strings" // // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions var EnvoyVersions = []string{ - "1.28.0", - "1.27.2", - "1.26.6", + "1.28.1", + "1.27.3", + "1.26.7", "1.25.11", } diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index a3190f7157..92c4a64fdc 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -37,21 +37,23 @@ The following matrix describes Envoy compatibility for the currently supported * Consul supports **four major Envoy releases** at the beginning of each major Consul release. Consul maintains compatibility with Envoy patch releases for each major version so that users can benefit from bug and security fixes in Envoy. As a policy, Consul will add support for a new major versions of Envoy in a Consul major release. Support for newer versions of Envoy will not be added to existing releases. -| Consul Version | Compatible Envoy Versions | -| ------------------- | -----------------------------------------------------------------------------------| -| 1.18.x | 1.28.0, 1.27.2, 1.26.6, 1.25.11 | -| 1.17.x | 1.27.2, 1.26.6, 1.25.11, 1.24.12 | -| 1.16.x | 1.26.6, 1.25.11, 1.24.12, 1.23.12 | +| Consul Version | Compatible Envoy Versions | +| ------------------------------- | -----------------------------------------------------------------------------------| +| 1.18.x | 1.28.1, 1.27.3, 1.26.7, 1.25.11 | +| 1.17.x | 1.27.3, 1.26.7, 1.25.11, 1.24.12 | +| 1.16.x | 1.26.7, 1.25.11, 1.24.12, 1.23.12 | +| 1.15.x (LTS - Enterprise only) | 1.28.1, 1.27.3, 1.26.7, 1.25.11, 1.26.7, 1.25.11, 1.24.12, 1.23.12 | ### Envoy and Consul Dataplane The Consul dataplane component was introduced in Consul v1.14 as a way to manage Envoy proxies without the use of Consul clients. Each new minor version of Consul is released with a new minor version of Consul dataplane, which packages both Envoy and the `consul-dataplane` binary in a single container image. For backwards compatibility reasons, each new minor version of Consul will also support the previous minor version of Consul dataplane to allow for seamless upgrades. In addition, each minor version of Consul will support the next minor version of Consul dataplane to allow for extended dataplane support via newer versions of Envoy. -| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions | -| ------------------- | ------------------------------------------------------------|----------------------------------------------| -| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.2.x (Envoy 1.26.x) | -| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) | -| 1.15.x | 1.1.x (Envoy 1.25.x) | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x) | +| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions | +| ------------------------------ | -------------------------------------|----------------------------------------------| +| 1.18.x | 1.4.x (Envoy 1.28.x) | 1.3.x (Envoy 1.27.x) | +| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.4.x (Envoy 1.28.x), 1.2.x (Envoy 1.26.x) | +| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) | +| 1.15.x (LTS - Enterprise only) | 1.1.x (Envoy 1.25.x) | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x) | ## Getting Started