SECURITY RELEASE
Emissary-ingress, Edge Stack, and Telepresence Security Updates
Envoy Proxy high severity CVE-2023–27493, CVE-2023–27487 and medium severity CVE-2023–27496, CVE-2023–27488, CVE-2023–27492, CVE-2023–27491 vulnerabilities addressed
We have released the following security updates to Emissary-ingress, Edge Stack, and Telepresence on Wednesday, 5th April. These updates address security issues that were just announced. The following versions are now available:
- Emissary-ingress 3.5.2 and Edge Stack 3.5.2 for our API Gateway and ingress controller users.
- Telepresence Smart Agent 1.13.11 for our Telepresence users.
We recommend all users upgrade to the appropriate version.
Envoy Proxy Vulnerabilities
The Telepresence Smart Agent has been updated with the latest patched version of Envoy Proxy 1.23.7. The following vulnerabilities were addressed in this release:
- CVE-2023–27487 (CVSS Score 8.2, High): Client may fake the header `x-envoy-original-path`
- CVE-2023–27493 (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values
- CVE-2023–27491 (CVSS Score 5.4, Medium): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers
The Telepresence Smart Agent is not affected by medium severity vulnerabilities: CVE-2023–27488, CVE-2023–27492, and CVE-2023–27496.
Emissary-ingress 3.5.2 and Edge Stack 3.5.2 include a patched Envoy Proxy 1.24. The following vulnerabilities were addressed in this release:
- CVE-2023–27487 (CVSS Score 8.2, High): Client may fake the header `x-envoy-original-path`
- CVE-2023–27493 (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values
- CVE-2023–27488 (CVSS Score 5.4, Medium): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received
- CVE-2023–27491 (CVSS Score 5.4, Medium): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers
- CVE-2023–27492 (CVSS Score 4.8, Medium): Crash when a large request body is processed in Lua filter
Emissary-ingress and Edge Stack are not affected by medium severity vulnerability CVE-2023–27496.
Security Response
Security is critical to Ambassador Labs. If you discover any security issues in Ambassador Labs, please privately email secalert@datawire.io. We will continue to release updates in response to disclosed security vulnerabilities.
Upgrading Emissary-ingress and Edge Stack
The latest versions of Emissary-ingress and Edge Stack are now available here:
- Emissary-ingress: https://hub.docker.com/r/emissaryingress/emissary
- Ambassador Edge Stack: https://hub.docker.com/r/datawire/aes
You can also install these projects using Helm.
# Add repository and create namespace
helm repo add datawire https://www.getambassador.io
# Helm 3
kubectl create namespace ambassador && helm install ambassador --namespace ambassador datawire/ambassador# Helm 2
kubectl create namespace ambassador && helm install --name ambassador --namespace ambassador datawire/ambassadorTo install the Ambassador Edge Stack, follow the quick start.
To upgrade from your current version of the Ambassador Edge Stack to 3.y, please follow the instructions here.
Upgrading to Telepresence
Telepresence versions after 2.6.0 will automatically update the smart agent to 1.13.11, unless you’ve configured a specific version of the smart agent. If you’re running an older version of Telepresence, we strongly recommend you upgrade.
Get Started with Ambassador Cloud
Ambassador Cloud provides a web-based user interface for you to manage Telepresence, Emissary-ingress, and Edge Stack. Sign up for a free account today!
