Описание
ELSA-2021-9546: olcne istio istio kubernetes security update (IMPORTANT)
olcne [1.3.2-2]
- Turn off default PodDisruptionBudget in istio template to unblock kubernetes module upgrade
- Update Kubernetes version to 1.20.11 to address CVE-2021-25741
- Update Istio to 1.9.8, 1.10.4 to address CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, CVE-2021-32780 & CVE-2021-32781
- Update proxyv2 image to select iptables legacy or latest based on host operating system
- Fix major.minor k8s version
istio [1.10.4-3]
- Updated iptables-switch for OL8 and OL7 logic
[1.10.4-2]
- Bump release, addresses the following envoy CVEs, CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, CVE-2021-32780 & CVE-2021-32781
[1.10.4-1]
- Added Oracle specific files for 1.10.4-1
istio [1.9.8-3]
- Updated iptables-switch for OL8 and OL7 logic
[1.9.8-2]
- Bump release, addresses the following envoy CVEs, CVE-2021-32777, CVE-2021-32778, CVE-2021-32779, CVE-2021-32780 & CVE-2021-32781
[1.9.8-1]
- Added Oracle specific files for 1.9.8-1
kubernetes [1.20.11-4]
- Fix major.minor version
[1.20.11-3]
- Updated iptables-switch for OL8 and OL7 logic
[1.20.11-2]
- Bump release for CVE fix, addresses CVE-2021-25741
[1.20.11-1]
- Added Oracle specific build files for Kubernetes
Обновленные пакеты
Oracle Linux 8
Oracle Linux x86_64
istio
1.10.4-3.el8
istio
1.9.8-3.el8
istio-istioctl
1.10.4-3.el8
istio-istioctl
1.9.8-3.el8
kubeadm
1.20.11-4.el8
kubectl
1.20.11-4.el8
kubelet
1.20.11-4.el8
olcne-agent
1.3.2-2.el8
olcne-api-server
1.3.2-2.el8
olcne-grafana-chart
1.3.2-2.el8
olcne-istio-chart
1.3.2-2.el8
olcne-nginx
1.3.2-2.el8
olcne-olm-chart
1.3.2-2.el8
olcne-prometheus-chart
1.3.2-2.el8
olcne-utils
1.3.2-2.el8
olcnectl
1.3.2-2.el8
Ссылки на источники
Связанные уязвимости
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions when ext-authz extension is sending request headers to the external authorization service it must merge multiple value headers according to the HTTP spec. However, only the last header value is sent. This may allow specifically crafted requests to bypass authorization. Attackers may be able to escalate privileges when using ext-authz extension or back end service that uses multiple value headers for authorization. A specifically constructed request may be delivered by an untrusted downstream peer in the presence of ext-authz extension. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to the ext-authz extension to correctly merge multiple request header values, when sending request for authorization.
Envoy is an open source L7 proxy and communication bus designed for la ...