Today we're pleased to announce the release of Linkerd 2.12.4. This release includes some fixes important enough to call attention to, and we want to make sure Linkerd users know about them.
Linkerd 2.12.4 includes fixes for several recently-disclosed OpenSSL CVEs. We do not believe that any of these CVEs present a realistic exploit in practice for Linkerd.
The OpenSSL CVEs addressed in this release include CVE-2023-0286 (severity High), and CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, and CVE-2023-0401 (all severity Moderate). Linkerd is not vulnerable to CVE-2023-0286 or CVE-2023-0401, and the security implications of the others are minor for Linkerd.
Only the control plane of Linkerd can be affected by OpenSSL vulnerabilities, since the Linkerd data plane doesn’t use OpenSSL at all. Therefore, no data plane traffic can ever be affected by any OpenSSL vulnerability. Additionally, for these CVEs, an attacker would generally already have to have elevated privileges within the cluster to mount any attacks, and the attacks themselves are largely impractical.
Therefore, while we don't consider it likely that any of these CVEs can cause problems, we nevertheless recommend that all users upgrade to 2.12.4 to avoid even potential issues. Linkerd, after all, is meant to add security to your application: we take that seriously, and we want to make certain that you don't need to worry about things like this.
Linkerd 2.12.4 also fixes a memory leak in the destination controller and an issue with control-plane liveness checks:
Finally, there are several smaller fixes around better EndpointSlice handling, improved Helm charts, and more. The full release notes have all the details.
Many thanks to everyone who made this release possible (notably contributors anoxape, Joe Bowbeer, and Oleg Vorobev)! As always, you can find us on the Linkerd Slack if you have further questions.
Thankfully, life isn’t just patching CVEs. Over the next few Linkerd releases, we'll be introducing some exciting new policy features like header-based routing and circuit breaking, as well as on longer-term features such as mesh expansion to allow the data plane to run outside of Kubernetes. If you have feature requests, of course, we’d love to hear them!
Linkerd is a graduated project of the Cloud Native Computing Foundation. Linkerd was created by Buoyant and is 100% open source. If you have feature requests, questions, or comments, we’d love to have you join our rapidly-growing community! Linkerd is hosted on GitHub, and we have a thriving community on Slack, Twitter, and the mailing lists. Come and join the fun!
(Photo by Masaaki Komori on Unsplash)