See this follow-up advisory, also sent as an email on July 17, 2020: Rancher Security Advisory Follow-up: CVE-2020-11080 addressed by Istio
Dear Rancher Customer,
Istio has released this week (on June 11th) patches to address the following vulnerability:
- CVE-2020-11080: "By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar."
What you need to know
On June 2nd, nghttp2 library announced the CVE-2020-11080 vulnerability. Istio uses Envoy proxy for both its sidecars and ingress-gateway, and Envoy uses the nghttp2 library.
CVE-2020-11080 makes Istio deployments vulnerable to DDOS attacks by sending special requests:
The overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%.
Affected Istio versions
- Istio v1.4.x
- Istio v1.5.x, older than v1.5.5
- Istio v1.6.2, older than v1.6.2
Currently, Istio v1.4.7 is the highest version supported in Rancher v2.3.x and v2.4.x.
Istio v1.5 has not yet been made available in Rancher because there is not a clean upgrade path from v1.4 to v1.5.
Beginning v1.5, the helm install method has been deprecated in Istio, and this makes it not possible for a zero-downtime migration path from v1.4.x to v1.5.x. There is no upstream helm upgrade path past v1.4 without manual intervention.
A migration path has been made available (came out on May 21st), but it is only in the v1.6.x release and done via an install binary.
Istio v1.4.x recently reached its End of Life (EOL), per this announcement from Istio on June 5th. For seemingly this reason, the CVE-addressing patch provided by Istio is available only on v1.5.5+ and v1.6.2+.
To make the CVE-addressing patch available in Rancher v2.3.x and v2.4.x, Rancher Engineering is considering both these options:
- Backport the patch to Istio v1.4.7
- Make available Istio v1.5.5+ as an option compatible with Rancher v2.3.x and v2.4.x.
We are weighing and testing both solutions and will provide the option that offers the most stability and least risk to our users.
Rancher expects to make the fix available within 2-3 calendar weeks of this advisory.
The vulnerability can be mitigated in existing deployments of Istio by disabling HTTP2 support in the Istio Ingress, as outlined here:
From the Rancher side, once there is a more specific date identified for the fix, Rancher Support will send out a follow-up to this advisory.
Simply submit a request via this portal referencing this article, and we will track and respond to your question as a support ticket.
Rancher Support Team