[NET-7948] Bump Envoy version to address multiple CVEs (#20589)

security: Bump Envoy versions to address CVEs

.changelog/20589.txt

@@ -0,0 +1,3 @@
+```release-note:security
+mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.github/workflows/nightly-test-integrations-1.15.x.yml

@@ -74,7 +74,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # 14 based on these values:
-          # envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+          # envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 7
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+        envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/nightly-test-integrations-1.16.x.yml

@@ -74,9 +74,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
+          # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4 
+          TOTAL_RUNNERS: 8
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
+        envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/nightly-test-integrations-1.17.x.yml

@@ -74,7 +74,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+          # envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4 
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+        envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/nightly-test-integrations.yml

@@ -71,9 +71,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+          # envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4 
+          TOTAL_RUNNERS: 8
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -106,7 +106,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+        envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

.github/workflows/test-integrations-windows.yml

@@ -62,7 +62,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: [ "1.28.0" ]
+        envoy-version: [ "1.28.1" ]
         xds-target: [ "server", "client" ]
     env:
       ENVOY_VERSION: ${{ matrix.envoy-version }}

.github/workflows/test-integrations.yml

@@ -270,9 +270,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 2 based on these values:
-          # envoy-version: ["1.28.0"]
+          # envoy-version: ["1.28.1"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4
+          TOTAL_RUNNERS: 2
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -305,7 +305,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.28.0"]
+        envoy-version: ["1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:
@@ -395,7 +395,7 @@ jobs:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
     env:
-      ENVOY_VERSION: "1.28.0"
+      ENVOY_VERSION: "1.28.1"
       CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi"
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

envoyextensions/xdscommon/envoy_versioning_test.go

@@ -152,9 +152,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 	*/
 	for _, v := range []string{
 		"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
-		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6",
-		"1.27.0", "1.27.1", "1.27.2",
-		"1.28.0",
+		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7",
+		"1.27.0", "1.27.1", "1.27.2", "1.27.3",
+		"1.28.0", "1.28.1",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

envoyextensions/xdscommon/proxysupport.go

@@ -12,9 +12,9 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
-	"1.28.0",
-	"1.27.2",
-	"1.26.6",
+	"1.28.1",
+	"1.27.3",
+	"1.26.7",
 	"1.25.11",
 }
 

website/content/docs/connect/proxies/envoy.mdx

@@ -37,21 +37,23 @@ The following matrix describes Envoy compatibility for the currently supported *
 
 Consul supports **four major Envoy releases** at the beginning of each major Consul release. Consul maintains compatibility with Envoy patch releases for each major version so that users can benefit from bug and security fixes in Envoy. As a policy, Consul will add support for a new major versions of Envoy in a Consul major release. Support for newer versions of Envoy will not be added to existing releases.
 
-| Consul Version      | Compatible Envoy Versions                                                          |
-| ------------------- | -----------------------------------------------------------------------------------|
-| 1.18.x              | 1.28.0, 1.27.2, 1.26.6, 1.25.11                                                    |
-| 1.17.x              | 1.27.2, 1.26.6, 1.25.11, 1.24.12                                                   |
-| 1.16.x              | 1.26.6, 1.25.11, 1.24.12, 1.23.12                                                  |
+| Consul Version                  | Compatible Envoy Versions                                                          |
+| ------------------------------- | -----------------------------------------------------------------------------------|
+| 1.18.x                          | 1.28.1, 1.27.3, 1.26.7, 1.25.11                                                    |
+| 1.17.x                          | 1.27.3, 1.26.7, 1.25.11, 1.24.12                                                   |
+| 1.16.x                          | 1.26.7, 1.25.11, 1.24.12, 1.23.12                                                  |
+| 1.15.x  (LTS - Enterprise only) | 1.28.1, 1.27.3, 1.26.7, 1.25.11, 1.26.7, 1.25.11, 1.24.12, 1.23.12                 |
 
 ### Envoy and Consul Dataplane
 
 The Consul dataplane component was introduced in Consul v1.14 as a way to manage Envoy proxies without the use of Consul clients. Each new minor version of Consul is released with a new minor version of Consul dataplane, which packages both Envoy and the `consul-dataplane` binary in a single container image. For backwards compatibility reasons, each new minor version of Consul will also support the previous minor version of Consul dataplane to allow for seamless upgrades. In addition, each minor version of Consul will support the next minor version of Consul dataplane to allow for extended dataplane support via newer versions of Envoy.
 
-| Consul Version      | Default `consul-dataplane` Version                          | Other compatible `consul-dataplane` Versions |
-| ------------------- | ------------------------------------------------------------|----------------------------------------------|
-| 1.17.x              | 1.3.x (Envoy 1.27.x)                                        | 1.2.x (Envoy 1.26.x)                         |
-| 1.16.x              | 1.2.x (Envoy 1.26.x)                                        | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x)   |
-| 1.15.x              | 1.1.x (Envoy 1.25.x)                                        | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x)   |
+| Consul Version                 | Default `consul-dataplane` Version   | Other compatible `consul-dataplane` Versions |
+| ------------------------------ | -------------------------------------|----------------------------------------------|
+| 1.18.x                         | 1.4.x (Envoy 1.28.x)                 | 1.3.x (Envoy 1.27.x)                         |
+| 1.17.x                         | 1.3.x (Envoy 1.27.x)                 | 1.4.x (Envoy 1.28.x), 1.2.x (Envoy 1.26.x)   |
+| 1.16.x                         | 1.2.x (Envoy 1.26.x)                 | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x)   |
+| 1.15.x (LTS - Enterprise only) | 1.1.x (Envoy 1.25.x)                 | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x)   |
 
 ## Getting Started