Skip to main content
logoTetrate Service BridgeVersion: 1.8.x

Release Notes

Version 1.8.2

TSB 1.8.2 is a patch release that includes stability and reliability updates, along with fixes to CVEs in TSB's dependencies.

Outstanding CVEs

At the time of shipping, there are no Critical vulnerabilities flagged but 1 High CVE (CVE-2019-0190), which can be ignored as this is a false positive for TSB image(s). The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2019-0190 - Not vulnerable as the images do not include mod_ssl which is vulnerable to attack.
  • GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
  • PRISMA-2021-0153 - No fix available
  • CVE-2024-28835 - No fix available
  • CVE-2024-26462 - No fix available
  • CVE-2024-28180 - No fix available
  • CVE-2021-31879 - No fix available
  • CVE-2024-28834 - No fix available
  • CVE-2024-26461 - No fix available
  • CVE-2024-26458 - No fix available
  • CVE-2024-2236 - No fix available
  • PRISMA-2023-0046 - No fix available
  • CVE-2022-3219 - No fix available
  • CVE-2023-50495 - No fix available
  • CVE-2023-45918 - No fix available
  • CVE-2023-29383 - No fix available
  • CVE-2023-34969 - No fix available
  • CVE-2022-4899 - No fix available
  • CVE-2023-7008 - No fix available
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2024-28180 - No fix available
  • CVE-2021-31879 - No fix available
  • CVE-2024-28834 - No fix available
  • CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2022-27943 - No fix available
  • CVE-2022-3857 - No fix available
  • CVE-2016-2781 - No fix available

Version 1.8.1

What’s New

  • IsolationBoundary is now supported in OpenShift

Bug Fixes and Improvements

  • Controlplane upgrades using IsolationBoundary has become more seamless and backward compatible
    • global boundary and default revision is configured automatically as default in TSB controlplane when IsolationBoundary is enabled.
    • Existing TSB workspaces and the workloads & namespaces under them do not require any changes from the user end when IsolationBoundary is enabled during upgrade.
    • Once IsolationBoundary is enabled, all the existing TSB workspaces would be considered under global boundary by default.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2016-2781 - No fix available
  • CVE-2019-0190 - No fix available
  • CVE-2019-10743 - No fix available
  • CVE-2021-31879 - No fix available
  • CVE-2022-27943 - No fix available
  • CVE-2022-3219 - No fix available
  • CVE-2022-3715 - No fix available
  • CVE-2022-3857 - No fix available
  • CVE-2022-4899 - No fix available
  • CVE-2023-29383 - No fix available
  • CVE-2023-34969 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4039 - No fix available
  • CVE-2023-42363 - No fix available
  • CVE-2023-42364 - No fix available
  • CVE-2023-42365 - No fix available
  • CVE-2023-42366 - No fix available
  • CVE-2023-4641 - No fix available
  • CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-50495 - No fix available
  • CVE-2023-52425 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-52426 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6129 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6237 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6992 - No fix available
  • CVE-2023-7008 - No fix available
  • CVE-2024-0727 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2024-21664 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • GHSA-7ww5-4wqc-m92c - No fix available
  • PRISMA-2021-0153 - Not a valid CVE / no fix available
  • PRISMA-2023-0046 - Not a valid CVE / no fix available

Version 1.8.0

What's New

  • OIDC authentication for gateways: Now it is possible to authenticate request at gateway using an external OIDC provider. Currently Authorization Code grant type is supported.

  • Isolation Boundaries moved to GA:

    • Isolation Boundaries now work across east-west traffic as well.
    • VM workloads can be onboarded to a specific isolation boundary.
    • Istio configuration can be provided for each revision separately under an isolation boundary.
    • This feature is disabled by default. To enable it, set the following configuration in the XCP component of the ControlPlane resource: 
      components:
        xcp:
          isolationBoundaries:
          - name: global
            revisions:
            - istio:
                tsbVersion: 1.8.0
              name: default
          - name: dev
            revisions:
            - istio:
                tsbVersion: 1.8.0
              name: dev-stable

  • Identity Propagation Improvements:

    • TSB Internal WASM modules used for Identity Propagation can be directly mounted in the Sidecar, Ingress and Egress gateway pods instead of being downloaded from image registries.
    • mountInternalWasmExtensions under istio component is enabled by default.
    • Identity Propagation as a feature is disabled by default, To enable it, set the following configuration in the XCP component of the ControlPlane resource. 
      components:
        xcp:
          enableHttpMeshInternalIdentityPropagation: true

  • TSB resource names now must conform to RFC 1123:

    • Must be between 1 and 63 characters.
    • Begin and end with an alphanumeric character.
    • Can include lowercase alphanumeric characters or -.

  • In Istio 1.19, a new TLS mode, OPTIONAL_MUTUAL, has been introduced within server TLS settings, and this enhancement has been incorporated into TSB APIs. For more details, refer to the Istio documentation.

  • The tier1_cluster flag in the cluster object is set to be deprecated in upcoming releases. This change is due to the ability of all clusters to now accommodate both Tier1 and IngressGateways. For more details, refer to the documentation.

  • Enhanced hostsReachability to configure and limit the scope of service entries created for canonical services when eastwest is enabled. For more details, refer to the documentation.

  • Resolved edge crash issues caused by node or namespace events.

  • Enable PromQL Service in the Control Plane OAP.

Bug Fixes and Improvements

  • Fixed issues with VM gateway not working when ISTIO_ISOLATION_BOUNDARIES is enabled.
  • Fixed issue with creating non revisioned configuration when only one isolation boundary services is being exposed from remote cluster while local cluster had multiple boundaries.
  • Fixed issue with namespace deletion and creation during edge lifecycle removes it from cache.
  • Global Telemetry Object xcp-mesh-default required for enabling telemetry freed up and functionality shifted to Istio Operator.

Outstanding CVEs

  • CVE-2010-0834 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2018-6557 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2016-2781 - No fix available
  • CVE-2018-1000007 - No fix available
  • CVE-2019-0190 - No fix available
  • CVE-2019-10743 - No fix available
  • CVE-2021-31879 - No fix available
  • CVE-2022-27943 - No fix available
  • CVE-2022-3219 - No fix available
  • CVE-2022-3715 - No fix available
  • CVE-2022-3857 - No fix available
  • CVE-2022-48522 - No fix available
  • CVE-2022-4899 - No fix available
  • CVE-2023-29383 - No fix available
  • CVE-2023-2953 - No fix available
  • CVE-2023-34969 - No fix available
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39326 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39804 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4039 - No fix available
  • CVE-2023-42363 - No fix available
  • CVE-2023-42364 - No fix available
  • CVE-2023-42365 - No fix available
  • CVE-2023-42366 - No fix available
  • CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45283 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45284 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45285 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-46218 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-47038 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-47108 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4806 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4813 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-49290 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5156 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.