We are releasing K10 v2.0.4 today to address three High / Critical severity vulnerabilities reported by the Envoy security team on December 10. These issues can allow untrusted remote clients to crash Envoy or gain privileges that they should not have. Kasten K10, our data management platform that is purpose-built for Kubernetes provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. Just like Istio and a host of other applications, K10 also has a dependency on Envoy given our use of Ambassador (props to the Ambassador team on getting their bug-fix release out so quickly too!) to route traffic into our platform.
Given the severity of the CVEs, we recommend that all Kasten K10 users should upgrade as soon as possible. You can upgrade to the latest version of K10 by following the instructions outlined here.
The details of the Common Vulnerabilities and Exposures (CVEs) that are addressed in this release include:
- CVE-2019-18801 (CVSS score 9.0, Critical): An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1.
- CVE-1019-18802 (CVSS score 7.5, High): A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.
- CVE-1019-18838 (CVSS score 7.5, High): Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.
What Made This Quick Response Possible?
Given our enterprise focus, we have a strict definition of response times for CVEs at different severity. We also scan all our container images for vulnerabilities like the above to help us catch these issues early.
However, this is simply not an issue of great security hygiene and moving quickly in response to High or Critical CVEs. We have done a lot of work internally on our engineering infrastructure to always have our master branch ready to release with a very extensive test framework and 100% test automation. Our deep test pipeline that validates every commit and release on multiple public clouds, against the Container Storage Interface (CSI), with on-premises distributions such as OpenShift, multiple applications representative of customer deployments, upgrades from previous K10 releases, and more. All of this infrastructure we have invested heavily in is what allows us to not just release regularly on a two-week cadence with confidence but also turn around security-related releases very quickly.
-The Kasten Team