Page MenuHomePhabricator
Create Task
Maniphest T246868

envoyproxy: CVE-2020-8664 CVE-2020-8661 CVE-2020-8660 CVE-2020-8659
Closed, ResolvedPublic
Actions

Description

The new Envoy 1.13.1 fixes four security issues:
https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history

It's not yet clear whether they affect the 1.12 release we're running, but seems likely:

CVE-2020-8664:
A vulnerability was found in Envoy, where using SDS with Combined Validation Context Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.

CVE-2020-8661:
A vulnerability was found in Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests.

CVE-2020-8660:
A vulnerability was found in Envoy. where TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.

CVE-2020-8659:
A vulnerability was found in Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks.

Details

SubjectRepoBranchLines +/-
Bump tls.image_version for envoy update to 1.13.1.operations/deployment-chartsmaster+24 -24
Bump versions for envoy and envoy-tls-local-proxy to 1.13.1.operations/docker-images/production-imagesmaster+12 -0
Customize query in gerrit

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Mar 4 2020, 8:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 4 2020, 8:26 AM
Joe assigned this task to RLazarus.Mar 4 2020, 8:28 AM

yes they do, they also released 1.12.3

I think we can move to 1.13 and slowly rollout the change.

Assigning to our envoy-build expert in residence :P

DannyS712 subscribed.Mar 4 2020, 8:32 AM
RLazarus added a comment.Mar 4 2020, 3:24 PM

I'm pretty sure our envoy-build expert in residence just assigned this to me, but I'm happy to give this a shot anyway.

RLazarus added a comment.Mar 17 2020, 3:30 PM

Belated update: we decided to upgrade to 1.13.1 (not 1.12.3). So far it's deployed to all MW hosts in codfw, plus the MW canaries in eqiad. Monitoring for impact, then we'll proceed to the rest of MW, then Kubernetes hosts.

gerritbot added a comment.Mar 18 2020, 11:33 AM

Change 580906 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/docker-images/production-images@master] Update envoy, add ability to define an idle timeout

https://gerrit.wikimedia.org/r/580906

gerritbot added a project: Patch-For-Review.Mar 18 2020, 11:33 AM
RLazarus added a subscriber: Dzahn.Mar 18 2020, 4:03 PM

Deployed 1.13.1 to all hosts where we're using envoy as a TLS proxy, that is, C:profile::tlsproxy::envoy. Exception: mendelevium.eqiad.wmnet is still running Jessie for now, and Envoy 1.11.1. (fyi @Dzahn)

Dzahn added a comment.Mar 18 2020, 9:33 PM

ACK, that's T224590 and i just made T248028 to keep that moving.

RLazarus added a comment.Mar 19 2020, 8:52 PM

All remaining MW hosts are updated. That leaves parsoid, snapshot hosts, and a few other odds and ends.

gerritbot added a comment.Mar 19 2020, 9:00 PM

Change 581747 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/docker-images/production-images@master] Bump versions for envoy and envoy-tls-local-proxy to 1.13.1.

https://gerrit.wikimedia.org/r/581747

gerritbot added a comment.Mar 23 2020, 3:14 PM

Change 581747 merged by RLazarus:
[operations/docker-images/production-images@master] Bump versions for envoy and envoy-tls-local-proxy to 1.13.1.

https://gerrit.wikimedia.org/r/581747

RLazarus added a subscriber: ArielGlenn.Mar 23 2020, 4:06 PM

All hosts updated except snapshot1006, held back until later this week per @ArielGlenn.

gerritbot added a comment.Mar 23 2020, 6:57 PM

Change 582880 had a related patch set uploaded (by RLazarus; owner: RLazarus):
[operations/deployment-charts@master] Bump tls.image_version for envoy update to 1.13.1.

https://gerrit.wikimedia.org/r/582880

gerritbot added a comment.Mar 24 2020, 2:54 PM

Change 582880 merged by jenkins-bot:
[operations/deployment-charts@master] Bump tls.image_version for envoy update to 1.13.1.

https://gerrit.wikimedia.org/r/582880

Stashbot added a comment.Mar 25 2020, 8:14 AM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T08:14:14Z] <_joe_> upgrading all eventgate-main to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 4:07 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T16:07:18Z] <rlazarus> updating blubberoid to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 7:29 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T19:29:28Z] <rlazarus> updating eventstreams to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 8:19 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T20:19:48Z] <rlazarus> updating citoid to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 8:22 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T20:22:38Z] <rlazarus> updating cxserver to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 9:07 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T21:07:00Z] <rlazarus> updating eventgate-analytics to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 9:16 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T21:16:32Z] <rlazarus> holding off on updating eventgate-analytics until EU time, to check on unexpected helmfile diffs T246868

Stashbot added a comment.Mar 25 2020, 9:44 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T21:44:36Z] <rlazarus> updating eventgate-analytics-external to envoy 1.13.1 T246868

Stashbot added a comment.Mar 25 2020, 10:05 PM

Mentioned in SAL (#wikimedia-operations) [2020-03-25T22:05:13Z] <rlazarus> updating eventgate-logging-external to envoy 1.13.1 T246868

RLazarus added a comment.Mar 25 2020, 10:39 PM

All kubernetes services are updated in all clusters. (T246868#6000068 turned out to be operator error, there were no unexpected diffs.)

ayounsi subscribed.Mar 26 2020, 7:44 AM
In T246868#5999850, @Stashbot wrote:

Mentioned in SAL (#wikimedia-operations) [2020-03-25T20:22:38Z] <rlazarus> updating cxserver to envoy 1.13.1 T246868

Seems to match the start of:
https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=cxserver.svc.eqiad.wmnet&service=Cxserver+LVS+eqiad
and
https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=cxserver.svc.codfw.wmnet&service=Cxserver+LVS+codfw

RLazarus added a subscriber: akosiaris.Mar 26 2020, 2:36 PM
In T246868#6001036, @ayounsi wrote:

Seems to match the start of:
https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=cxserver.svc.eqiad.wmnet&service=Cxserver+LVS+eqiad
and
https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=cxserver.svc.codfw.wmnet&service=Cxserver+LVS+codfw

Thanks for the pointer, but it looks like the timestamps don't line up -- that's been alerting since a couple hours before I touched it here. (Alert at 18:39, my deploy at 20:22.) I wish I'd spotted it before I touched production, but otherwise it shouldn't be related to this change.

It looks like @akosiaris filed T248578 and there's a cause identified.

Joe added a comment.Mar 30 2020, 10:43 AM

@RLazarus this is done, right? Is there anything left to do?

RLazarus added a comment.Mar 30 2020, 2:46 PM

Just snapshot1006 left, it's on my list for this morning.

RLazarus closed this task as Resolved.Mar 30 2020, 2:50 PM

And done.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits