Emissary-ingress, Edge Stack, and Telepresence Security Updates
Envoy Proxy Vulnerabilities
Go Vulnerabilities
Security Response
Upgrading Emissary-ingress and Edge Stack
Upgrading to Telepresence
Envoy Proxy upgrade resolving HTTP/2 Stream Cancellation Attack & CPU starvation along with Go upgrade resolving CVE-2023-39323 and CVE-2023-39325.
We have released the following security updates to Emissary-ingress, Edge Stack API Gateway, and Telepresence. These updates include upgrades to the Envoy and Go dependencies to address the recently announced security vulnerabilities.
- Emissary-ingress and Edge Stack 3.8.2 for API Gateway and ingress controller users
- Telepresence Smart Agent 1.13.22 for our Telepresence users
We recommend all users upgrade to the latest version of these products as soon as possible to mitigate potential attacks that may become prevalent following the security announcement.
Envoy Proxy Vulnerabilities
Emissary-ingress and Edge Stack API Gateway have been updated to the latest patched version of Envoy Proxy 1.26.4, and the Telepresence Smart Agent has been updated to Envoy Proxy 1.26.5.
These updates addressed the following vulnerabilities:
- CVE 2023-44487: HTTP/2 Rapid Reset Vulnerability (in Envoy) allowing denial of service attacks
Go Vulnerabilities
Emissary-ingress and Edge Stack API Gateway have been updated to Go version 1.20.10 and the Telepresence Smart Agent has been updated to 1.21.3.
These updates addressed the following vulnerabilities:
- CVE-2023-39323: Build time “//go:cgo_" directives bypass allowing unexpected execution of arbitrary code when running “go build”
- CVE-2023-39325: HTTP/2 Rapid Reset Vulnerability (in Go) allowing denial of service attacks
Security Response
Security is critical to Ambassador Labs. If you discover any security issues in Ambassador Labs, please privately email secalert@datawire.io. We will continue to release updates in response to disclosed security vulnerabilities.
Upgrading Emissary-ingress and Edge Stack
The latest versions of Emissary-ingress and Edge Stack API Gateway are now available here:
- Emissary-ingress: https://hub.docker.com/r/emissaryingress/emissary
- Edge Stack API Gateway: https://hub.docker.com/r/datawire/aes
To install Edge Stack API Gateway, follow the quick start.
Please follow the instructions here to upgrade from your current Edge Stack to 3.X.
Upgrading to Telepresence
Telepresence versions after 2.6.0 will automatically update the smart agent to 1.13.22, unless you’ve configured a specific version of the smart agent. If you’re running an older version of Telepresence, we strongly recommend you upgrade.