Skip to content

Commit

Permalink
Merge pull request #3811 from keithmattix/patch-1
Browse files Browse the repository at this point in the history 
Update README.md
  • Loading branch information
@qpetraroia
qpetraroia authored Jul 31, 2023
2 parents e1dc835 + dd45304 commit d2c9527
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion examples/envoy-ghsa-jfxv-29pc-x22r/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Who is at risk?
All AKS clusters with the OSM or Istio addosn enabled and sidecars injected in their applications

Mitigation Steps?
The AKS team is rolling out patched Envoy versions to all supported AKS clusters (i.e. versions 1.24 and higher) using the OSM or Istio addons. These updates are expected to be rolled out to all regions in 10 days (July 30th). If you're using the OSM addon, you can use the `get-osm-envoy-version.sh` script in this directory to check your injected Envoy version (requires `jq`). If the image tag is v1.26.3 or v1.25.8, you have the patch and you are not at risk. If you are using the Istio addon, you can use the `get-istio-versio.sh` script in this directory to check your Istio version (also requires `jq`). If the image tag is v1.17.4, then you have the patch and are not at risk.
The AKS team is rolling out patched Envoy versions to all supported AKS clusters (i.e. versions 1.24 and higher) using the OSM or Istio addons. These updates are expected to be rolled out to all regions in 10 days (July 30th). If you're using the OSM addon, you can use the `get-osm-envoy-version.sh` script in this directory to check your injected Envoy version (requires `jq`). If the image tag is v1.26.3 or v1.25.8, you have the patch and you are not at risk. If you are using the Istio addon, you can use the `get-istio-version.sh` script in this directory to check your Istio version (also requires `jq`). If the image tag is v1.17.4, then you have the patch and are not at risk.

Am I required to take any action?
Once your cluster has the patch, you must restart all sidecar injected applications in order to replace the vulnerable Envoy sidecars with patched ones. This applies for both the OSM and Istio addons. If your AKS version is [out of support](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions), you will NOT receive a new version of either addon containing the security patch. We strongly recommend you upgrade in order to receive support and security patches.

0 comments on commit d2c9527

Please sign in to comment.