Announcing Linkerd 2.12.4

Today we're pleased to announce the release of Linkerd 2.12.4. This release includes some fixes important enough to call attention to, and we want to make sure Linkerd users know about them.

OpenSSL CVE fixes

Linkerd 2.12.4 includes fixes for several recently-disclosed OpenSSL CVEs. We do not believe that any of these CVEs present a realistic exploit in practice for Linkerd.

The OpenSSL CVEs addressed in this release include CVE-2023-0286 (severity High), and CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401 (all severity Moderate). Linkerd is not vulnerable to CVE-2023-0286 or CVE-2023-0401, and the security implications of the others are minor for Linkerd.

Only the control plane of Linkerd can be affected by OpenSSL vulnerabilities, since the Linkerd data plane doesn’t use OpenSSL at all. Therefore, no data plane traffic can ever be affected by any OpenSSL vulnerability. Additionally, for these CVEs, an attacker would generally already have to have elevated privileges within the cluster to mount any attacks, and the attacks themselves are largely impractical.

Therefore, while we don't consider it likely that any of these CVEs can cause problems, we nevertheless recommend that all users upgrade to 2.12.4 to avoid even potential issues. Linkerd, after all, is meant to add security to your application: we take that seriously, and we want to make certain that you don't need to worry about things like this.

Other Fixes: Memory, Readiness, and More!

Linkerd 2.12.4 also fixes a memory leak in the destination controller and an issue with control-plane liveness checks:

• On clusters where a very large number of Pods are being created and destroyed, the Linkerd destination controller could use a large amount of RAM and crash. This should no longer happen (and, additionally, the destination controller should consume less memory in general!).
• On very large clusters, some Linkerd control-plane components could fail to start, because liveness probes would stall while caches were being initialized. We now allow liveness probes to succeed immediately, while blocking readiness probes until the caches are warm.

Finally, there are several smaller fixes around better EndpointSlice handling, improved Helm charts, and more. The full release notes have all the details.

Many thanks to everyone who made this release possible (notably contributors anoxape, Joe Bowbeer, and Oleg Vorobev)! As always, you can find us on the Linkerd Slack if you have further questions.

What’s next for Linkerd?

Thankfully, life isn’t just patching CVEs. Over the next few Linkerd releases, we'll be introducing some exciting new policy features like header-based routing and circuit breaking, as well as on longer-term features such as mesh expansion to allow the data plane to run outside of Kubernetes. If you have feature requests, of course, we’d love to hear them!

Linkerd is for everyone

Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd was created by Buoyant and is 100% open source. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!

‍

(Photo by Masaaki Komori on Unsplash)

‍