Release Notes

Version 1.12.12

• Fixed the following CVEs: CVE-2024-58251,CVE-2025-15281,CVE-2025-22872,CVE-2025-46394,CVE-2025-47907,CVE-2025-58185,CVE-2025-58187,CVE-2025-58188,CVE-2025-58189,CVE-2025-60876,CVE-2025-61723,CVE-2025-61725,CVE-2025-61726,CVE-2025-61729,CVE-2025-68121,CVE-2025-68156,CVE-2026-0861,CVE-2026-0915,CVE-2026-0994,CVE-2026-22007,CVE-2026-22013,CVE-2026-22016,CVE-2026-22018,CVE-2026-22021,CVE-2026-22184,CVE-2026-24051,CVE-2026-25679,CVE-2026-2673,CVE-2026-27135,CVE-2026-28387,CVE-2026-28388,CVE-2026-28389,CVE-2026-28390,CVE-2026-29111,CVE-2026-29181,CVE-2026-30778,CVE-2026-31789,CVE-2026-31790,CVE-2026-32280,CVE-2026-32281,CVE-2026-32282,CVE-2026-32283,CVE-2026-32287,CVE-2026-32288,CVE-2026-32289,CVE-2026-32952,CVE-2026-33186,CVE-2026-33230,CVE-2026-33810,CVE-2026-33811,CVE-2026-33814,CVE-2026-33815,CVE-2026-33816,CVE-2026-33870,CVE-2026-33871,CVE-2026-33997,CVE-2026-34040,CVE-2026-34268,CVE-2026-34282,CVE-2026-34477,CVE-2026-34480,CVE-2026-34986,CVE-2026-35206,CVE-2026-35469,CVE-2026-39820,CVE-2026-39823,CVE-2026-39825,CVE-2026-39826,CVE-2026-39836,CVE-2026-39882,CVE-2026-39883,CVE-2026-40179,CVE-2026-40200,CVE-2026-40225,CVE-2026-40226,CVE-2026-4105,CVE-2026-41417,CVE-2026-42151,CVE-2026-42154,CVE-2026-42499,CVE-2026-42577,CVE-2026-42578,CVE-2026-42579,CVE-2026-42580,CVE-2026-42581,CVE-2026-42583,CVE-2026-42584,CVE-2026-42585,CVE-2026-44903,CVE-2026-4539,CVE-2026-4873,CVE-2026-4878,CVE-2026-5545,CVE-2026-5773,CVE-2026-5958,CVE-2026-6042,CVE-2026-6253,CVE-2026-6276,CVE-2026-6357,CVE-2026-6429,CVE-2026-6472,CVE-2026-6473,CVE-2026-6474,CVE-2026-6475,CVE-2026-6477,CVE-2026-6478,CVE-2026-6479,CVE-2026-6637,CVE-2026-6732,CVE-2026-7168,GHSA-fw8g-cg8f-9j28,GHSA-j88v-2chj-qfwx, CVE-2026-22184.

• Fixed duplicate host validation for gateways so that conflicting host/port combinations are detected when one gateway's workload selector is a superset of another's, not only when it is a subset. Previously, two gateways in the same group sharing a host/port could pass validation if their label selectors overlapped only in the superset direction.

• The control plane webhook port is now configurable via the operator.webhookPort Helm value (default: 9443). For example:

  operator:
    webhookPort: 9444

  Temurin 11 JRE to the latest patched build (April 2026 Oracle CPU).

• Added DISABLE_SEGMENTATION environment variable on the TSB operator to control deployment of the N2AC (segmentation) component. When set to true, the operator skips deploying N2AC and sets TSB_DISABLE_SEGMENTATION=true on the bridge and web-ui deployments. Previously, N2AC was always deployed regardless of whether segmentation was enabled.

• Fixed a panic in MPC that caused a CrashLoopBackOff when Flagger was installed in the cluster. The canaries.flagger.app CRD triggered an informer whose list function called into a nil Flagger client. MPC now initializes a real Flagger client at startup and passes it to the combined kube client, preventing the nil-pointer dereference.

• Fix a high cpu consumption issue when the --configwatch-service-account-debounce-interval=0s flag was set in the apiserver.

• TSB now creates a dedicated promql user with a configurable password to access the /promql endpoint. The user is unprivileged in the scope of TSB permissions. To configure it, use the --tsb-promql-password flag with tctl install manifest management-plane or set the secrets.tsb.promqlPassword Helm value when installing the Management Plane chart. The password is stored in the admin-credentials Kubernetes Secret under the promql key in namespace tsb.

• The busybox image has been removed from the TSB release. This image has been replaced with an smaller internal one holding only the necessary capabilities.

• Fixed Azure base group lookup in TeamSync to require an exact displayName match. Microsoft Graph search returns groups whose names contain the query string, so configuring a base group like HR could previously resolve to a different group such as HR Taskforce. TeamSync now filters search results to the exact display name and fails fast with a clear error if no group matches.

• Fixes issues where XCP resources wouldn't update correctly. All resources created by the XCP operators now use server side apply instead of merge, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY to false on the XCP operator deployments.

• Added a dry-run diff endpoint (/debug/gateway-reconcile-diff) on the edge operator admin server (port 8090) to preview what changes would be applied when reconciliation is resumed. The response shows per-gateway reconciliation state, pending changes to Deployments/Services/ServiceAccounts/HPAs, whether changes would cause pod restarts, and a unified YAML diff. The response summary includes total gateways, count with changes, count that will cause restarts, and count paused.

• Gateway deployment config status now reports the RECONCILIATION_PAUSED phase as APPLIED_NOT_READY, with a ReconciliationPaused condition indicating the pause reason. The status includes current workload details (deployment readiness, replica counts, service type).

• Gateway install objects (IngressDeployment, EgressDeployment, Tier1Deployment, GatewayDeployment) are now protected from accidental deletion. Deletion of managed gateway CRs is blocked when edge deletion protection is enabled. Non-managed gateway CRs are not affected.

• Added two new metrics for gateway reconciliation observability:

  • gateway_reconcile_paused (gauge, labels: gateway_type, gateway_namespace, gateway_name): reports per-gateway pause state (1 = paused, 0 = active).
  • gateway_reconcile_skipped_total (counter, labels: gateway_type, reason, gateway_namespace, gateway_name): tracks the number of reconciliations skipped, with reason indicating the level that disabled it (object_label_disabled, namespace_api_disabled, revision_api_disabled).

• Gateway deployments are no longer reconciled during upgrades when their spec hasn't changed. A new RECONCILIATION_DIRTY phase and DirtyStateDetected condition surface when the generated config would differ from what's applied, giving visibility into configuration drift. Users can force reconciliation by setting the install.tetrate.io/reconcile-before label with a future date.

• Added a new feature to the XCP Edge operator that allows users to override the proxy configuration annotation proxy.istio.io/config for the gateway deployments.

• Tier1 gateways now validate that the TrafficGroup and SecurityGroup are consistent across clusters.

• Fixed an issue where shared components (CNI, OAP, meshExpansion) could be inconsistently assigned to different revisions across restarts or upgrades. The default revision is now always preferred when available, ensuring stable and predictable behavior in multi-revision deployments.

• Fixed accumulation of additionalOverlays which caused stale values to exist even after they were removed from EdgeXcp.

• Fixed the status poller for GatewayDeployments which showed pending status for all gateways in the tsb namespace.

• XCP operator now automatically skips wasmfetcher custom templates when native sidecars are enabled. With native sidecars (Istio >= 1.27 default), the wasmfetcher init container approach is unnecessary. Detection uses a three-layer approach: the SKIP_WASMFETCHER_CUSTOM_TEMPLATES operator env var override, explicit ENABLE_NATIVE_SIDECARS in EdgeXcp istiod env, and Istio version-based auto-detection (>= 1.27).

• Added configurable metric cardinality control for XCP Edge. The following high-cardinality per-namespace metrics are suppressed by default to prevent Prometheus storage growth in large clusters:

  • xcp_edge_cr_apply_time_in_ms
  • xcp_edge_k8s_configs_apply_time_secs
  • xcp_edge_istio_object_missing_hash_annotation_count

  The active filtering rules are written to the edge-config ConfigMap on every reconcile, making them discoverable via kubectl get configmap edge-config -o yaml.

  Operators can customise the rules via spec.metrics.metricExclusions on the EdgeXcp CR. Each entry specifies a metric name matcher (exact string or RE2 regular expression). A matching metric family is fully suppressed at scrape time.

  To disable all built-in defaults and emit every metric unfiltered, set spec.metrics.disableDefaultExclusions: true.

• Fixed OpenShift HCP/HyperShift cluster detection. Worker nodes on hosted control plane clusters lack the machineconfiguration.openshift.io/state annotation (managed by the MachineConfig Operator on the management cluster), causing them to be detected as unknown provider. Detection now falls back to the hypershift.openshift.io/managed label for HCP worker nodes, and the node.openshift.io/os_id label as a general OpenShift catch-all.

• Removed a debug log from xcpd that would include authorization tokens in central when new connections were established. This log was only emitted when logging was set to the debug level.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-69720 - No fix available.
• CVE-2026-27456 - No fix available.
• CVE-2026-4046 - No fix available.
• CVE-2026-4437 - No fix available.
• CVE-2026-3184 - No fix available.
• CVE-2026-4438 - No fix available.
• CVE-2026-5450 - No fix available.
• CVE-2026-6238 - No fix available.
• CVE-2026-5435 - No fix available.
• CVE-2026-5928 - No fix available.
• CVE-2026-5704 - No fix available.
• CVE-2026-27171 - No fix available.
• CVE-2026-34743 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2026-40228 - No fix available.

Version 1.12.11

• Fixed CVE-2026-33186.
• Fixed an issue where removing IstioOperator overlays (e.g. proxyStatsMatcher) did not take effect because the previous JSON merge patch preserved stale fields. IstioOperator CR updates now use server-side apply, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY_FOR_IOP to false on the XCP edge operator deployment.
• At gateways, fix duplication of authentication configuration across hostnames and optimize memory consumption. From previous releases which have ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN, the env variable must be replaced with ENABLE_ENHANCED_REQUEST_AUTHENTICATION, which is a superset of functionality previously put behind ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-69720 - No fix available.
• CVE-2026-4046 - No fix available.
• CVE-2026-29111 - No fix available.
• CVE-2026-33231 - No fix available.
• PRISMA-2022-0168 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-66382 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2026-4437 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2026-4438 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2026-22185 - No fix available.
• CVE-2026-4105 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2019-1010022 - No fix available.
• TEMP-0841856-B18BAF - No fix available.
• CVE-2025-70873 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2024-2236 - No fix available.
• TEMP-0628843-DBAD28 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2023-31437 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2025-14104 - No fix available.
• CVE-2026-3184 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2021-45346 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2022-0563 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2026-2673 - No fix available.
• CVE-2023-31438 - No fix available.
• CVE-2018-20796 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2019-1010025 - No fix available.
• TEMP-0517018-A83CE6 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2005-2541 - No fix available.
• CVE-2011-4116 - No fix available.
• CVE-2026-34743 - No fix available.
• CVE-2025-29481 - No fix available.

Version 1.12.10

• Fixed the following CVEs: CVE-2025-69421,CVE-2024-22365,CVE-2025-68973,CVE-2025-69420,CVE-2025-9820,CVE-2026-22796,CVE-2025-69418,CVE-2025-15467,CVE-2025-68160,CVE-2025-69419,CVE-2025-14831,CVE-2025-6020,CVE-2026-22795,CVE-2025-61730,CVE-2025-61726,CVE-2026-24051,CVE-2026-27139,CVE-2025-68121,CVE-2025-58181,GO-2026-4342,CVE-2026-27142,CVE-2025-61728,CVE-2026-25679,CVE-2026-33186,GHSA-jqcq-xjh3-6g23 / CVE-2026-4427,CVE-2026-27137,CVE-2026-27171,CVE-2025-60876,CVE-2026-22184,GHSA-72hv-8253-57qq,CVE-2025-15281,GHSA-jqcq-xjh3-6g23,CVE-2025-47914,CVE-2025-61729,CVE-2025-61731,CVE-2025-68119,CVE-2025-58183, CVE-2025-68156,CVE-2025-47907,CVE-2026-22695,CVE-2025-13151,CVE-2026-0861,CVE-2026-0915,CVE-2026-2219,CVE-2025-7709,CVE-2026-1965,CVE-2026-3783,CVE-2026-3731,CVE-2026-23865,CVE-2025-59530
• Fixed an issue where XCP Edge would update some ServiceEntry, DestinationRule and AuthorizationPolicy resources repeatedly with different field ordering. This could cause unnecessary CPU usage and API server load.
• Added support for ISTIO_MUTUAL mode for external authorization.
• Add support for timeout and cors policy in HTTP route rules.
• When moving from releases below TSB 1.12 to 1.12+, it is recommended to delete the istio-revision-tag-default mutating webhook from the cluster post upgrade. Please use kubectl delete mutatingwebhookconfiguration istio-revision-tag-default command for the same. When upgraded from below 1.12 to 1.12, stale istio-revision-tag-default MutatingWebhookConfiguration is automatically removed at startup. This webhook was previously managed by istio-operator and is no longer needed, as it caused the admission webhook to run twice with conflicting results.
• Upgrade Note: From previous releases which have ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN, the env variable must be replaced with ENABLE_ENHANCED_REQUEST_AUTHENTICATION, which is a superset of functionality previously put behind ENABLE_JWT_AUTHENTICATION_MANDATORY_JWT_TOKEN. New improved bevaviour additionally, at gateways, fixes duplication of authentication configuration across hostnames and optimize memory consumption.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-69720 - No fix available.
• CVE-2026-4046 - No fix available.
• CVE-2026-29111 - No fix available.
• CVE-2026-33231 - No fix available.
• PRISMA-2022-0168 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-66382 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2026-4437 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2026-4438 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2026-22185 - No fix available.
• CVE-2026-4105 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2019-1010022 - No fix available.
• TEMP-0841856-B18BAF - No fix available.
• CVE-2025-70873 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2024-2236 - No fix available.
• TEMP-0628843-DBAD28 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2023-31437 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2025-14104 - No fix available.
• CVE-2026-3184 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2021-45346 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2022-0563 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2026-2673 - No fix available.
• CVE-2023-31438 - No fix available.
• CVE-2018-20796 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2019-1010025 - No fix available.
• TEMP-0517018-A83CE6 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2005-2541 - No fix available.
• CVE-2011-4116 - No fix available.
• CVE-2026-34743 - No fix available.
• CVE-2025-29481 - No fix available.

Version 1.12.9

• Fixed the following CVEs: CVE-2025-15467, CVE-2025-69419, CVE-2025-69420, CVE-2026-22795, CVE-2025-69418, CVE-2026-22796, CVE-2025-68160, CVE-2025-69421, CVE-2026-0861.
• Performance improvements when retrieving data for topology visualizaton.
• Fix to UI when rendering teams with circular dependencies.
• Add requireJwt option in Authentication settings, mandating that a request must have a JWT token. Without this option, an Authorization setting is also required to block requests without JWT tokens.
• Resolve issue where the removal of pod annotations would not be propagated when Gateway resources were updated.
• Fix data race when generating gateway resources that in rare cases could cause gateway restarts or incorrect values to be used.
• Fix race condition with cluster state reads
• Allow setting perTryTimeout in HTTP retry settings even when retries are disabled (attempts set to 0). This enables configuring request timeouts without enabling automatic retries.
• Propagate validation errors from edge when configs not applied
• Port validation is added at Host level on Gateway
• Send diagnostic error message at workspace level when no istio configs are applied due to validation error.
• Add metrics and dashboard panels for various components.

New metrics in XCP Central Operator:

• xcp_operator_central_feature_enabled
• xcp_operator_central_feature_value
• xcp_operator_central_feature_value_seconds
• xcp_operator_central_feature_value_string

New metrics in XCP Edge Operator:

• xcp_operator_edge_feature_enabled
• xcp_operator_edge_feature_value
• xcp_operator_edge_feature_value_seconds
• xcp_operator_edge_feature_value_string

New metrics in XCP Central:

• xcp_central_config_status_server_streams_total
• xcp_central_config_status_server_streams_open_count
• xcp_central_aggregate_config_status_server_streams_total
• xcp_central_aggregate_config_status_server_streams_open_count
• xcp_central_resource_exchange_server_streams_total
• xcp_central_resource_exchange_server_streams_open_count
• xcp_central_cluster_state_server_streams_total
• xcp_central_cluster_state_server_streams_open_count

New metrics in XCP Edge:

• xcp_edge_config_status_client_streams_total
• xcp_edge_config_status_client_streams_open_count
• xcp_edge_resource_exchange_client_streams_total
• xcp_edge_resource_exchange_client_streams_open_count
• xcp_edge_cluster_state_client_streams_total
• xcp_edge_cluster_state_client_streams_open_count
• xcp_edge_config_translation_attempts_total
• xcp_edge_config_translation_attempts_failed_total
• xcp_edge_unmanaged_resources_count
• Changed name and type of certain metrics to adhere to Prometheus conventions.

Affected metrics:

• diagnostic_channel_client_up_total (counter) -> diagnostic_channel_client_up (gauge)
• diagnostic_channel_client_open_channel_websocket_connections_active_count_total (counter) -> diagnostic_channel_client_open_channel_websocket_connections_active_count (gauge)
• diagnostic_channel_server_up_total (counter) -> diagnostic_channel_server_up (gauge)
• diagnostic_channel_server_open_channel_requests_active_count_total (counter) -> diagnostic_channel_server_open_channel_requests_active_count (gauge)
• diagnostic_channel_server_open_channel_websocket_connections_active_count_total (counter) -> diagnostic_channel_server_open_channel_websocket_connections_active_count (gauge)
• diagnostic_service_up_total (counter) -> diagnostic_service_up (gauge)
• diagnostic_service_execute_task_running_count_total (counter) -> diagnostic_service_execute_task_running_count (gauge)
• diagnostic_service_stream_task_running_count_total (counter) -> diagnostic_service_stream_task_running_count (gauge)
• dns_resolution_cache_domain_names_watched_count_total (counter) -> dns_resolution_cache_domain_names_watched_count (gauge)
• dns_resolution_cache_domain_names_unresolved_count_total (counter) -> dns_resolution_cache_domain_names_unresolved_count (gauge)
• ha_cross_partition_requestor_relay_client_streams_open_count_total (counter) -> ha_cross_partition_requestor_relay_client_streams_open_count (gauge)
• ha_cross_partition_responder_relay_server_streams_open_count_total (counter) -> ha_cross_partition_responder_relay_server_streams_open_count (gauge)
• ha_secondary_relay_client_streams_open_count_total (counter) -> ha_secondary_relay_client_streams_open_count (gauge)
• ha_primary_relay_server_streams_open_count_total (counter) -> ha_primary_relay_server_streams_open_count (gauge)
• current_onboarded_edge_total (counter) -> current_onboarded_edge_total (gauge)
• xcp_central_pending_configs_total (counter) -> xcp_central_pending_configs_total (gauge)
• xcp_central_pending_on_ref_configs_total (counter) -> xcp_central_pending_on_ref_configs_total (gauge)
• Fixed gateway deployments appearing to restart during TSB upgrades when HPA is enabled. Previously, during upgrades, the operator would apply deployment manifests with replicaCount: 1 (the default), temporarily scaling down HPA-managed gateways before HPA scaled them back up. Now, when an HPA exists for a gateway deployment, the operator omits updating replica count, preserving the HPA-managed replica count and preventing unnecessary pod restarts.
• Fixed OIDC authentication to respect user-defined authScopes configuration. Previously, only the openid scope was being set, ignoring any custom scopes specified.
• Set ISTIO_PROXY_READINESS_PROBE_TIMEOUT (Custom Timeout added to Tetrate Istio for scale) to 10s for edge gateways.
• Enable optional metrics in Istio.

Enabled metrics in istiod:

• pilot_worker_queue_depth
• pilot_worker_queue_latency
• pilot_worker_queue_duration
• pilot_envoy_filter_status
• xds_cache_reads
• xds_cache_evictions
• xds_cache_size
• xds_cache_dependent_config_size

New metrics in XCP Central:

• xcp_central_pilot_worker_queue_depth
• xcp_central_pilot_worker_queue_latency
• xcp_central_pilot_worker_queue_duration

New metrics in XCP Edge:

• xcp_edge_pilot_worker_queue_depth
• xcp_edge_pilot_worker_queue_latency
• xcp_edge_pilot_worker_queue_duration
• Fixed a data race causing central restarts and was mitigated by setting ENABLE_INVALIDATE_CONFIG_STATUS_CACHE_ON_ADMISSION: false.
• Fixed an issue where gateway pod annotations were not updated correctly. Gateway Deployment updates now use server side apply instead of merge, and can be reverted to the old behavior by setting USE_SERVER_SIDE_APPLY_FOR_GATEWAY_DEPLOYMENTS to false on the XCP edge operator deployment.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2022-0168 - No fix available.
• CVE-2025-8941 - No fix available.
• CVE-2025-66382 - No fix available.
• CVE-2025-14104 - No fix available.
• CVE-2025-15281 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-68972 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2025-7709 - No fix available.
• CVE-2026-22185 - No fix available.
• CVE-2026-0915 - No fix available.
• CVE-2024-52005 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• TEMP-0628843-DBAD28 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2025-14524 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2025-14819 - No fix available.
• CVE-2025-9086 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2025-15079 - No fix available.
• CVE-2019-20838 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2025-15224 - No fix available.
• CVE-2025-1376 - No fix available.
• TEMP-0841856-B18BAF - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2025-10148 - No fix available.
• CVE-2022-0563 - No fix available.
• CVE-2019-1010022 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2023-31437 - No fix available.
• CVE-2023-31439 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2021-45346 - No fix available.
• CVE-2019-1010024 - No fix available.
• TEMP-0517018-A83CE6 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2005-2541 - No fix available.
• CVE-2011-4116 - No fix available.
• CVE-2023-31438 - No fix available.
• CVE-2017-11164 - No fix available.
• CVE-2025-29481 - No fix available.

Version 1.12.8

• Fixed the following CVEs: CVE-2025-22872, CVE-2025-61727, GO-2025-4155, CVE-2024-25621, CVE-2025-64329, CVE-2025-47914, CVE-2025-58181, CVE-2024-58251, CVE-2025-46394, CVE-2025-58187, CVE-2025-58183, CVE-2025-47912, CVE-2025-58186, CVE-2025-58188, CVE-2025-61723, CVE-2025-61724, CVE-2025-58189, CVE-2025-61725, CVE-2025-58185, CVE-2025-11579, CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, CVE-2025-8058, CVE-2025-58058, CVE-2025-55199, CVE-2025-47907.
• Configured the Istiod env ISTIO_GPRC_MAXRECVMSGSIZE to 20 MiB as large customers were seeing the xds size limit being reached in 1.12.
• Optimized cluster state updates from control plane clusters. Only gateway pod restarts now trigger full cluster state updates, reducing load on the management plane for large installations with many control planes.
• A minor fix for gateway metrics in the UI by adding label version to gateway deployments.
• Bug fix in configuring mesh timeout settings via TrafficSettings API by removing an incorrect requirement of istio mtls.
• Internal change to coordinate supported minor/release releases during releases through configmap. Configmap name is xcp-releases. After upgrade verify that current xcp release version is updated in the configmap.
• Openshift installation: fixed an issue where existing k8s gateway CRDs were resulting in failure to install TSB control plane.
• xcp central Fix to re-init central’s watcher connection to k8s apiserver. XCP_CENTRAL_K8S_API_SERVER_IDLE_TIMEOUT env can be set to customize the timeout duration. Default is 10 minutes. config_controller_restarts_total metric can be used to monitor the number of restarts.
• Fix in the service entry generation logic for the hostnames which differ only by . or -, ex: bookinfo.tetrate.com and bookinfo-tetrate.com. After fix, there will be separate SEs for both.
• Default value of MAX_CONCURRENT_GATEWAY_RECONCILES on xcp-operator-edge deployment is set to 1 to avoid potential race issues during gateway reconciliation.
• Fix in Workload entry generation for hosts exposed on tier2 gateways for issue which happens if there are duplicate hostnames on two different gateways in the same cluster.
• Authorization api enhancement to support timeout to control how long the proxy waits for the external authorization backend to respond.
• Fixed issue: Delete a cluster now unregisters its services from the service registry.
• GitOps reconciliation improved: so when a TSB Group config is applied, if the parent workspace was in a failing state its reconciliation is triggered now. This helps solve issues like adding new namespace selectors in workspaces and groups at once.
• Fixed a validation issue for ManagementPlane and ControlPlane CRs on K8s versions >= 1.30, which was failing due to an invalid spec.validation field.
• Feature enhancement: TSB Config Status now provides ACCEPTED_COMPOSED and READY_COMPOSED for configs that are a result of profiles and legacy settings (like tenant or workspace settings)
• TSB self-observability dashboards now accept a datasource ID when they are imported or generated. Example command tctl x grafana upload --datasource-uid <uid>.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2021-0153 - No fix available.
• CVE-2025-22227 - No fix available.
• CVE-2025-37727 - No fix available.
• CVE-2025-4673 - No fix available.
• CVE-2025-29481 - No fix available.
• CVE-2025-66221 - No fix available.
• CVE-2025-47906 - No fix available.
• CVE-2025-54388 - No fix available.
• CVE-2025-8058 - No fix available.
• TEMP-0628843-DBAD28 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2013-4392 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2011-4116 - No fix available.

Version 1.12.7

• Fixed the following CVEs: CVE-2025-62409, CVE-2025-62504, CVE-2025-47907, CVE-2025-22869, CVE-2025-22868, CVE-2025-0913, CVE-2025-4673, CVE-2025-47906, CVE-2025-22872, CVE-2025-22871, CVE-2025-22870, CVE-2025-8058, CVE-2025-9230, CVE-2025-9231, CVE-2025-9232, CVE-2025-8715, CVE-2025-8714, CVE-2025-4207, CVE-2025-8713, CVE-2025-58058, CVE-2025-55199, CVE-2025-4802, CVE-2025-54388.
• Fixed config status reporting issue, where a change that reverted back to a previous state was sometimes not reported, resulting in incorrect status. Note: this fix may report occasional duplicate events
• Replaced OpenCensus with Otel for metrics transfer from controlplane to management plane. Important: Please refer to Upgrade instructions in documentation
• Improved error detection when generating PostGres backups
• Resolved issue with large ( > 64Kb ) Istio ConfigMaps

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2024-10963 - No fix available.
• CVE-2025-7709 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2025-11579 - No fix available.
• CVE-2024-52005 - No fix available.
• GO-2025-3900 - No fix available.
• CVE-2023-42365 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2025-30698 - No fix available.
• CVE-2025-9086 - No fix available.
• CVE-2025-8114 - No fix available.
• CVE-2025-6297 - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2025-10148 - No fix available.
• CVE-2019-1010022 - No fix available.
• CVE-2025-46394 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2025-21587 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• TEMP-0517018-A83CE6 - No fix available.
• CVE-2011-4116 - No fix available.

Version 1.12.6

• Fixed the following CVEs: CVE-2025-54988, CVE-2025-48924, CVE-2025-47907, CVE-2025-55163, CVE-2025-22868, CVE-2025-22874, CVE-2025-22871, CVE-2025-22872, CVE-2025-4673, CVE-2025-0913.
• Fixes an issue where the IAM component required a restart for Control Plane clusters to report their status. IAM now automatically updates by subscribing to TSB Service Account events.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-4802 - No fix available.
• PRISMA-2022-0168 - No fix available.
• CVE-2025-46835 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2025-40909 - No fix available.
• CVE-2025-8885 - No fix available.
• CVE-2025-0913 - No fix available.
• CVE-2025-32989 - No fix available.
• CVE-2023-42363 - No fix available.
• CVE-2025-4673 - No fix available.
• CVE-2025-5702 - No fix available.
• CVE-2025-27613 - No fix available.
• CVE-2023-42366 - No fix available.
• CVE-2025-8916 - No fix available.
• CVE-2025-32988 - No fix available.
• CVE-2023-42364 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2025-30698 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2025-30691 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2025-58050 - No fix available.
• CVE-2019-20838 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2025-21587 - No fix available.
• CVE-2023-31438 - No fix available.

Version 1.12.5

• Fixed CVE-2025-29914, CVE-2025-22874, CVE-2025-0913, CVE-2025-4673, CVE-2025-31672, GHSA-fv92-fjc5-jj9h, CVE-2025-4598, CVE-2024-26462, CVE-2023-4641, CVE-2024-12243, CVE-2025-0395, CVE-2024-6602, CVE-2025-1390, CVE-2025-24528, CVE-2024-12133, CVE-2024-5535, CVE-2024-13176, CVE-2025-5222, CVE-2025-22871, CVE-2025-22872, CVE-2025-5222, CVE-2025-53547.
  • As part of the fix for CVE-2025-29914, the WAF image has been updated to include Coraza WAF v3.3.3 and CRS v4.14.0. If you need to use a custom WAF image, you can do so via a WASM extension resource.
• Fixed HTTP/2 issue between OAP service and ElasticSearch.
• Added metrics for the embedded PostgreSQL service for easier monitoring of this service.
• Improved generation of Management Plane UI authentication cookie to address a possible security issue.
• Fixed validation bug that prevented certain configurations for Tier-2 (App) gateways.
• Fixed CNI IOP conflict with Install IOP, which prevented installation under certain circumstances on OpenShift.
• Fixed bug in configuration profile merging with 0-values in keys. Note: this fix changed the protobuf definition of the API, making breaking changes in some languages like Go, due to some scalar fields being updated to use pointers to correctly distinguish between unset and zero values.
• Fixed bug where authorization service accounts might not be correctly scoped to clusters.
• Moved internal service registry sync to react to cluster changes instead of being a periodic task to improve performance. This deprecates the flag registry-interval of the API server component.
• Fixed how authorization policies in CUSTOM mode with allowed service accounts are restricted to parent target clusters. Now the service accounts are converted into fully qualified 3-part IDs tied to each targeted cluster in parent rules, instead of all the known onboarded clusters.
• Fixed an issue where stricter propagation settings in security settings didn’t propagate the traffic mode. Additionally, this update has improved the compatibility of profiles with the security settings.
• Fixed an issue with the configuration status for the install gateways. Some state changes related to the replica count were overlooked.
• Fixed an issue where the API server wouldn’t boot if segmentation was previously used.

UI

• Added a new Health tab to the workspace detail page, providing a more consistent and reliable view of service metrics. The data shown in tables and charts is now fetched in a more efficient way, improving performance and ensuring the same values are displayed across different parts of TSB UI.
• Service Topology view for Ambient Clusters was enhanced to allow the user to view the graph with or without Waypoints and with ambient objects annotated.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2023-45853 - No fix available.
• CVE-2025-4802 - No fix available.
• CVE-2025-6020 - No fix available.
• CVE-2025-6965 - No fix available.
• PRISMA-2022-0168 - No fix available.
• CVE-2023-31484 - No fix available.
• CVE-2024-22365 - No fix available.
• CVE-2024-10041 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-45582 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2025-40909 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2024-52005 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2025-29481 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2016-20013 - No fix available.
• CVE-2025-6141 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2013-4392 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2011-3374 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2019-20838 - No fix available.
• CVE-2023-31437 - No fix available.
• CVE-2023-31486 - No fix available.
• CVE-2025-27587 - No fix available.
• CVE-2019-1010022 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2022-0563 - No fix available.
• TEMP-0290435-0B57B5 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2025-30258 - No fix available.
• TEMP-0517018-A83CE6 - No fix available.
• CVE-2011-3389 - No fix available.
• CVE-2013-4235 - No fix available.
• CVE-2022-27943 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2025-6297 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2025-5278 - No fix available.
• CVE-2005-2541 - No fix available.
• CVE-2018-6829 - No fix available.
• CVE-2023-31438 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2023-31439 - No fix available.
• CVE-2007-5686 - No fix available.
• CVE-2023-26604 - No fix available.
• TEMP-0628843-DBAD28 - No fix available.
• CVE-2021-45346 - No fix available.
• TEMP-0841856-B18BAF - No fix available.
• CVE-2017-18018 - No fix available.
• CVE-2017-11164 - No fix available.
• CVE-2011-4116 - No fix available.
• CVE-2022-41409 - No fix available.

Version 1.12.4

• Fixed CVE-2024-13176, CVE-2025-32414, CVE-2025-32415, CVE-2025-32386, CVE-2025-30153, CVE-2025-22871, CVE-2025-22872, CVE-2024-45341, CVE-2024-45336, CVE-2025-0395, CVE-2025-22866.
• TSB operator performance improvements: reduced resource usage of the management and control plane operators, reduced the Kubernetes resources being watched, and reconfigured the Istio gitops webhooks to only capture the TSB related resources.
• Fixed OAP can not disable metrics.
• Fixed a bug with deletion protection webhook caBundle getting overwritten by kube-api server.
• Add support for transitioning from control plane managed gateway installs to management plane managed gateway installs.
• Added path_prefix in external authorization configuration. This option allows prefixing a external authz call with a supplied path.
• Added allowed_upstream_headers in external authorization configuration. This option allows sending response headers from external authz response to upstream.
• Added support for discovering Kubernetes Gateway in OBSERVE mode.
• Enhanced HTTP ratelimit to be only called for configured hostnames on shared gateways.
• Fixed an issue that caused infinite reconciliation of registered services containing dots in the name.
• Fixed an issue that didn't update the segmentation internal runtime state with cluster updates.
• Improved the configuration propagation time from the Database to the XCP component.
• Optimized the memory usage of the TSB operator when gitops is enabled.
• Fixed the tctl x app-ingress command to run with Istio 1.24.5.
• Added support to annotate Organization, Clusters, Tenants, Workspaces, and Groups resources with segmentation membership by using it like segmentation.tetrate.io/membership: policyA/zone1,policyA/zone2.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2022-0168 - No fix available.
• CVE-2025-4598 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2025-3576 - No fix available.
• CVE-2025-31672 - No fix available.
• CVE-2025-29481 - No fix available.
• CVE-2025-46836 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2025-30698 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2025-5745 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2023-29383 - No fix available.
• CVE-2023-31484 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2025-40909 - No fix available.
• CVE-2025-30258 - No fix available.
• CVE-2024-22365 - No fix available.
• CVE-2023-26604 - No fix available.
• CVE-2022-41409 - No fix available.
• CVE-2025-1390 - No fix available.

Version 1.12.3

• Fixed CVE-2025-22870, CVE-2025-22872, CVE-2025-22869, CVE-2025-30204, CVE-2025-32386, CVE-2025-32387, CVE-2024-40635, CVE-2025-22870.
• Added capability to failback after a Management Plane failover
• Enable mountInternalWasmExtensions and identityPropagation by default in Ambient mode.
• Fix service state reporting in Ambient mode by XCP Edge.
• Fix metadata exchange filter configuration for Ambient mode with ISB enabled.
• Stop aligning trust domains for service reported by XCP in Service registry.
• Fix status reporting in TSB Operator for Onboarding components.
• Fix workload listing in Proxy tools for non-injection namespaces.
• Improve OAP PromQL Service: Querying Metadata(traffic) supports result number limit and filter by regex match.
• Enhance the installation gateway resource configuration status reporting by providing detailed information about the deployment and service associated with the installed gateway.
• Enhanced custom OutlierDetection settings in TrafficSettings by adding configuration capability for maxEjectionTime and maxEjectionPercent.
• Improve the config status search by FQDN to include redirects, subsets, and ports matching analysis.
• Embedded Postgres: Fix an upgrade issue where replicas before 1.12.0 didn't properly upgrade connection details to the primary node using TLS.
• Embedded Postgres: Remove Postgres noisy logs about no TLS-secured connections caused by the k8s health check. It now uses TLS certs.
• Embedded Postgres: Kubernetes limits and resources apply now to Postgres init containers.
• tctl x verify gateway-certs extends verifications to include matching hostnames from configurations and certs, matching certs from secrets and running proxies, and checking invalid keys in TLS secrets.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2022-0168 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2024-10041 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-13176 - No fix available.
• CVE-2025-3277 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2021-31879 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-3576 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2024-10041 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-52005 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2025-3277 - No fix available.
• CVE-2025-3576 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2021-31879 - No fix available.
• CVE-2025-29481 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-3576 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2025-3576 - No fix available.
• CVE-2025-29087 - No fix available.
• PRISMA-2021-0153 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2024-10963 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2025-29087 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2017-11164 - No fix available.
• CVE-2019-20838 - No fix available.
• CVE-2019-1010022 - No fix available.
• CVE-2023-26604 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2024-56433 - No fix available.
• CVE-2018-20796 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2010-4756 - No fix available.
• CVE-2025-1376 - No fix available.
• CVE-2022-41409 - No fix available.
• CVE-2013-4235 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2023-26604 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2019-1010025 - No fix available.
• CVE-2016-20013 - No fix available.
• CVE-2025-1352 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2023-26604 - No fix available.
• CVE-2023-45918 - No fix available.
• CVE-2016-20013 - No fix available.
• CVE-2023-29383 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2023-45918 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2016-2781 - No fix available.
• CVE-2023-45918 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2019-1010024 - No fix available.
• CVE-2013-4235 - No fix available.
• CVE-2023-29383 - No fix available.
• CVE-2013-4235 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2019-1010023 - No fix available.
• CVE-2023-50495 - No fix available.
• CVE-2023-29383 - No fix available.
• CVE-2023-45918 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2019-9192 - No fix available.
• CVE-2022-3219 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2022-41409 - No fix available.
• CVE-2023-45918 - No fix available.
• CVE-2024-2236 - No fix available.

Version 1.12.2

• Fixed the following CVEs: CVE-2025-22869, CVE-2025-30204.
• Add status subresource in the ManagementPlane and ControlPlane CRD in helm charts.
• Added scale improvements in control plane operators.
• Fixed WorkloadEntry generation issue because of Istio added limitation for number of labels in WorkloadEntry Spec.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• PRISMA-2022-0168 - No fix available.
• PRISMA-2021-0153 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2025-1390 - No fix available.
• CVE-2025-3277 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2024-12133 - No fix available.
• CVE-2025-3576 - No fix available.
• CVE-2024-28180 - No fix available.
• CVE-2025-30258 - No fix available.
• CVE-2025-24528 - No fix available.
• CVE-2025-1376 - No fix available.
• PRISMA-2022-0164 - No fix available.
• CVE-2025-27144 - No fix available.
• CVE-2025-0395 - No fix available.
• CVE-2025-29088 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2023-31484 - No fix available.
• CVE-2024-26461 - No fix available.
• CVE-2024-9143 - No fix available.

Version 1.12.1

• Added support for multiple hosts in the n2ac component for external Postgres datastore.
• Credentials provided for the data store username and password will now be automatically URL-encoded and stored in the postgres-credentials secret within the Management Plane namespace. This change helps ensure compatibility with database drivers that require URL-encoded credentials (especially when using non-standard characters). If you are already supplying URL-encoded credentials, you must do one of the following to avoid double-encoding:
  1. Update the secret to remove URL encoding, or
  2. Set passwordEncoding to URL in the ManagementPlane CR, as shown below:

  spec:
    dataStore:
      passwordEncoding: URL

  No additional action is required if your credentials are not already URL-encoded.
• Prevent Direct mode objects from being attached to Bridged mode Groups.
• Added the FORCE_ALLOW_REUSE_OF_EDGE_CLUSTER_NAME environment variable to XCP Central to support edge clusters that retain the same name after a control plane cluster rebuild or re-installation.
  • Previously, when an edge cluster was rebuilt, it received a new UID, causing Central to reject updates from the cluster. Enabling this flag allows Central to bypass the UID check and accept updates from the edge cluster.
  • When enabled, Central will accept configuration updates from clusters that share the same name. However, this can potentially overwrite updates from the original cluster, which may not be the desired behavior. As a precaution, this feature is disabled by default.
• Istio IsolationBoundary is now enabled by default.
• Added Alpha support for Istio Ambient mode.
• Add support for XCP managed selfSigned webhook certificates.
• Add option to disable cert-manager installation by using tsbManaged internal certificate provider.
• Add new API to list the config status related to a given FQDN. Available with tctl status --fqdn command.
• Fixed the following CVEs: CVE-2025-22870, CVE-2025-30204, CVE-2024-21235, CVE-2024-55549, CVE-2025-24855, CVE-2025-27113, CVE-2025-1094, CVE-2024-12797, CVE-2025-27144.

Upgrade Notes

• If you are running TSB version 1.10.x or below without the IsolationBoundary feature enabled, please be aware that it must be enabled as a pre-upgrade step before moving to TSB version 1.12.1. This involves performing a helm upgrade --install with an updated Control Plane CR that includes the IB configuration.

  • Please refer to the Non-revisioned to revisioned upgrade doc for more details.

• Starting from TSB version 1.9.x, if IsolationBoundary is enabled and the upgrade steps still reference dataplane component installation, those steps must be removed from the upgrade process. The use of dataplane component is not applicable when IsolationBoundary is enabled and may cause interference. You can use --exclude-dataplane command in tctl generate manifests to generate manifests without dataplane components.

• During the Control Plane upgrade, TSB will automatically upgrade the Istio installation to the latest version if istio.tsbVersion field is not specified in the IsolationBoundary configuration.

• If you have IsolationBoundary enabled in your Control Plane clusters and want to opt for an automatic Istio upgrade along with the Control Plane upgrade, ensure that the istio.tsbVersion field is left empty.

  isolationBoundaries:
  - name: global
    revisions:
    - name: default
      istio: {}
    - name: canary
      istio: {}

• In some upgrade scenarios, the previous tsb-controlplane may not terminate fully. This can lead to a race condition where the ControlPlane CR gets defaulted with a tsbVersion, reverting to older behavior. If this happens during an in-place upgrade, manually remove the tsbVersion field from the ControlPlane CR. If manual intervention isn't possible, please contact Tetrate Support to discuss adding a post-upgrade step to your pipeline.

• To improve reliability, TSB has introduced changes that require a one-time transient downtime during the upgrade. The downtime will last as long as it takes for all IstioD pods to complete their upgrade.

  Avoiding Downtime

  • If a transient downtime during the upgrade is not acceptable, you can avoid it by applying an overlay to the IstioD deployment before upgrading.
  • This overlay should modify the DISCOVERY_REVISIONS environment variable to include all revisions within the same IsolationBoundary, as well as the boundary name itself, separated by commas.
  • For example, if you have two revisions i.e default and canary under the global boundary, the overlay would look like this:

    isolationBoundaries:
    - name: global
      revisions:
        - name: default
          istio:
            kubeSpec:
              deployment:
                env:
                  - name: DISCOVERY_REVISIONS
                    value: default,canary,global
        - name: canary
          istio:
            kubeSpec:
              deployment:
                env:
                  - name: DISCOVERY_REVISIONS
                    value: default,canary,global

UI

• Fixed the backward compatibility issue of status_code and percentile metrics in the UI.
• Fixed an issue where the paths and methods of LocalAuthZ could not be edited in the UI.
• Fixed a bug where the service is not refreshed by the Refresh Button in the UI.
• Fixed an issue where the Segmentation Toggle was wrongly displayed in the TIS+ UI.
• Add support for Install Gateway.
• Add Hostname and External Addresses options to the search functionality in the Workspace Propagation view.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

• CVE-2025-1376 - No fix available.
• CVE-2024-10041 - No fix available.
• CVE-2025-1390 - No fix available.
• CVE-2024-8176 - No fix available.
• CVE-2024-12243 - No fix available.
• CVE-2025-1371 - No fix available.
• CVE-2024-10963 - No fix available.
• CVE-2024-12133 - No fix available.
• CVE-2025-24528 - No fix available.
• CVE-2024-52005 - No fix available.
• CVE-2024- - No fix available.
• CVE-2025-23022 - No fix available.
• CVE-2025-1372 - No fix available.
• CVE-2024-26462 - No fix available.
• CVE-2025-27516 - No fix available.
• CVE-2024-0406 - No fix available.
• CVE-2024-2236 - No fix available.
• CVE-2025-0167 - No fix available.
• CVE-2024-41996 - No fix available.
• CVE-2023-29383 - No fix available.
• CVE-2024-9143 - No fix available.
• CVE-2023-7008 - No fix available.
• CVE-2024-22365 - No fix available.

Version 1.12.0

• Added the K8S_CACHE_SYNC_TIMEOUT environment variable to the TSB operators to configure the amount to wait for the Kubernetes cache synchronization when the operator pods start. The default value is 2 minutes, but in large environments with lots of configuration objects this may need to be increased.
• The rate limit filters were not installed on the listeners on port 15443, used for multi-cluster traffic. Starting in 1.12, rate limits will also be enforced for traffic going through that port. This could be a breaking change for some applications, and can be turned off by applying the following overlay in the ControlPlane resource in the application clusters

  spec:
    components:
      xcp:
        kubeSpec:
          overlays:
          - apiVersion: install.xcp.tetrate.io/v1alpha1
            kind: EdgeXcp
            name: edge-xcp
            patches:
            - path: spec.components.edgeServer.kubeSpec.deployment.env[-1]
              value:
                name: DISABLE_RATE_LIMIT_PORT_15443
                value: "true"

• The built-in roles have been updated to include permissions to manage configuration profiles.
• Segmentation Membership objects now accept the FQN of Cluster objects in the fqnSelector field to create cluster-based policies.
• Traffic settings in configuration profiles have been moved from the trafficSettings field to a new traffic field. All traffic-related settings are now enforced exclusively under the inbound and outbound fields, available in both the defaults and mandates sections of a profile. You can rely on the deprecation warnings in the TrafficSettings filed documentation to help identify where the deprecated fields have been relocated in the new structure. Example migration: Before:

  mandates:
    trafficSettings:
      reachability:
        mode: CUSTOM
        hosts:
          - ns1/*

  After:

  mandates:
    traffic:
      outbound:
        reachability:
          mode: CUSTOM
          hosts:
            - ns1/*

Upgrade notes

OAP Upgrade

OAP adds more attributes to metrics for querying and analysis. When upgrading, OAP can assure the compatibility between management plane and control plane. But within a cluster, OAP instances route and aggregate metrics from each other. So rolling an update in a cluster can cause replicas to temporarily stop aggregating metrics while they are running lower version and master version at the same time. This could output some predictable errors in the logs, like:

2025-02-20 10:18:21,922 - org.apache.skywalking.oap.server.core.remote.RemoteServiceHandler -44362 [grpc-default-executor-1] ERROR [] - Index 2 out of bounds for length 2

The OAP instances will recover aggregating metrics and stop printing the above logs when the upgrade is completed. Although this case is normal and predictable, if you want to avoid this, you can upgrade OAP by the following steps:

1. Before upgrading, scale down the OAP replicas to 0.
2. Recover OAP replicas after the deployment is upgraded.