Skip to main content
logoTetrate Service BridgeVersion: 1.8.x

Release Notes

Version 1.8.5

  • Fixes an issue where Management Plane kubespec and overlays were propagated to the Control Plane cluster onboarding templates.
  • Added validation to check that DIRECT mode resources always have the namespace properly set.
  • Fixes an error that prevented the embedded Postgres cleanup job from removing unused PVCs.
  • Fixed the following CVEs : CVE-2024-6119, CVE-2024-7348, CVE-2024-4603, CVE-2024-2511, CVE-2024-4741, CVE-2024-7254, CVE-2024-47554, CVE-2024-8096, CVE-2024-34156, CVE-2024-34155, CVE-2024-34158.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42364 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2022-40735 - No fix available.
  • CVE-2024-6119 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2023-6237 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-41996 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2024-0727 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2022-41409 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2023-5678 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2023-6129 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2023-26604 - No fix available.

Version 1.8.4

  • Fixed an issue where enabling isolation boundary used to get stuck at migrating gateways if istio-gateway namespace existed without dataplane components.
  • Added liveness and readiness probes to the OAP pods.
  • Embedded Postgres now will automatically be restarted when the TLS certificates are renewed.
  • Fixed a bug that caused audit logs to be dispatched for dry-run operations.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42364 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-26604 - No fix available.

Version 1.8.3

  • Multiple CVEs fixed.
  • Fixed an issue with Istio CNI not updating when using Isolation Boundaries in a openshift environment with default revision.
  • Fixed an issue where providing overlays for default revision under .spec.xcp.isolationBoundaries didn't take effect.
  • Fixed an issue where edge panics if a service exists in the mesh without service selectors and security settings are configured for it.
  • Fixed an issue where performing an update via TCTL of a direct mode Istio resource of version v1beta1 caused duplicated key error.
  • Fixed an issue where the teamsync-first-run job was being recreated after successful execution.
  • Improved LDAP synchronization by limiting the set of request attributes to avoid timeout errors.
  • CRDs installed by TSB are not deleted when TSB is uninstalled via Helm, fixing possible issues when different TSB planes exist in the same cluster but only some of them are uninstalled.
  • Performance improvements that speed up the configuration propagation from the Management Plane to the Control Plane.
  • Added the dry-run option to the TSB API that allows to check an operation without impacting the current state of the platform.
    • tctl: tctl apply -f <my-config.yaml> --dry-run server-side.
    • http: Add the following header to the request: x-tetrate-dry-run: server-side.
    • grpc: Add the following key value metadata pair. How metadata is added to the client request is dependent on the language used in client grpc library: key x-tetrate-dry-run, value server-side.

Outstanding CVEs

At the time of shipping, there are no Critical and High vulnerabilities flagged. The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations. Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2023-42364 - No fix available.
  • CVE-2024-26462 - No fix available.
  • PRISMA-2021-0153 - No fix available.
  • CVE-2024-37370 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2024-37371 - No fix available.
  • CVE-2024-2236 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2024-0406 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2024-26458 - No fix available.
  • CVE-2018-20796 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2010-4756 - No fix available.
  • CVE-2024-2511 - No fix available.
  • CVE-2022-3857 - No fix available.
  • CVE-2016-20013 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2024-4741 - No fix available.
  • CVE-2017-11164 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2016-2781 - No fix available.
  • CVE-2024-4603 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-5535 - No fix available.
  • CVE-2013-4235 - No fix available.
  • CVE-2023-26604 - No fix available.

Version 1.8.2

TSB 1.8.2 is a patch release that includes stability and reliability updates, along with fixes to CVEs in TSB's dependencies.

Outstanding CVEs

At the time of shipping, there are no Critical vulnerabilities flagged but 1 High CVE (CVE-2019-0190), which can be ignored as this is a false positive for TSB image(s). The following CVEs (medium/low) have been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2019-0190 - Not vulnerable as the images do not include mod_ssl which is vulnerable to attack.
  • GHSA-3m87-5598-2v4f - Not vulnerable - Advisory withdrawn
  • PRISMA-2021-0153 - No fix available.
  • CVE-2024-28835 - No fix available.
  • CVE-2024-26462 - No fix available.
  • CVE-2024-28180 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2024-28834 - No fix available.
  • CVE-2024-26461 - No fix available.
  • CVE-2024-26458 - No fix available.
  • CVE-2024-2236 - No fix available.
  • PRISMA-2023-0046 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2023-50495 - No fix available.
  • CVE-2023-45918 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2024-28180 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2024-28834 - No fix available.
  • CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2022-27943 - No fix available.
  • CVE-2022-3857 - No fix available.
  • CVE-2016-2781 - No fix available.

Version 1.8.1

What’s New

  • IsolationBoundary is now supported in OpenShift

Bug Fixes and Improvements

  • Controlplane upgrades using IsolationBoundary has become more seamless and backward compatible
    • global boundary and default revision is configured automatically as default in TSB controlplane when IsolationBoundary is enabled.
    • Existing TSB workspaces and the workloads & namespaces under them do not require any changes from the user end when IsolationBoundary is enabled during upgrade.
    • Once IsolationBoundary is enabled, all the existing TSB workspaces would be considered under global boundary by default.

Outstanding CVEs

At the time of shipping, the following CVEs had been identified as being present in some images by our security tools. They have been evaluated by Tetrate Product Security and are not exploitable in TSB installations.
Where applicable, this was ascertained by using static code analysis tools.

  • CVE-2016-2781 - No fix available.
  • CVE-2019-0190 - No fix available.
  • CVE-2019-10743 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2022-3715 - No fix available.
  • CVE-2022-3857 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2023-34969 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4039 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2023-4641 - No fix available.
  • CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-49240 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-50495 - No fix available.
  • CVE-2023-52425 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-52426 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6129 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6237 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-6992 - No fix available.
  • CVE-2023-7008 - No fix available.
  • CVE-2024-0727 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2024-21664 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • GHSA-7ww5-4wqc-m92c - No fix available.
  • PRISMA-2021-0153 - Not a valid CVE / no fix available
  • PRISMA-2023-0046 - Not a valid CVE / no fix available

Version 1.8.0

What's New

  • OIDC authentication for gateways: Now it is possible to authenticate request at gateway using an external OIDC provider. Currently Authorization Code grant type is supported.

  • Isolation Boundaries moved to GA:

    • Isolation Boundaries now work across east-west traffic as well.
    • VM workloads can be onboarded to a specific isolation boundary.
    • Istio configuration can be provided for each revision separately under an isolation boundary.
    • This feature is disabled by default. To enable it, set the following configuration in the XCP component of the ControlPlane resource: 
      components:
        xcp:
          isolationBoundaries:
          - name: global
            revisions:
            - istio:
                tsbVersion: 1.8.0
              name: default
          - name: dev
            revisions:
            - istio:
                tsbVersion: 1.8.0
              name: dev-stable

  • Identity Propagation Improvements:

    • TSB Internal WASM modules used for Identity Propagation can be directly mounted in the Sidecar, Ingress and Egress gateway pods instead of being downloaded from image registries.
    • mountInternalWasmExtensions under istio component is enabled by default.
    • Identity Propagation as a feature is disabled by default, To enable it, set the following configuration in the XCP component of the ControlPlane resource. 
      components:
        xcp:
          enableHttpMeshInternalIdentityPropagation: true

  • TSB resource names now must conform to RFC 1123:

    • Must be between 1 and 63 characters.
    • Begin and end with an alphanumeric character.
    • Can include lowercase alphanumeric characters or -.

  • In Istio 1.19, a new TLS mode, OPTIONAL_MUTUAL, has been introduced within server TLS settings, and this enhancement has been incorporated into TSB APIs. For more details, refer to the Istio documentation.

  • The tier1_cluster flag in the cluster object is set to be deprecated in upcoming releases. This change is due to the ability of all clusters to now accommodate both Tier1 and IngressGateways. For more details, refer to the documentation.

  • Enhanced hostsReachability to configure and limit the scope of service entries created for canonical services when eastwest is enabled. For more details, refer to the documentation.

  • Resolved edge crash issues caused by node or namespace events.

  • Enable PromQL Service in the Control Plane OAP.

Bug Fixes and Improvements

  • Fixed issues with VM gateway not working when ISTIO_ISOLATION_BOUNDARIES is enabled.
  • Fixed issue with creating non revisioned configuration when only one isolation boundary services is being exposed from remote cluster while local cluster had multiple boundaries.
  • Fixed issue with namespace deletion and creation during edge lifecycle removes it from cache.
  • Global Telemetry Object xcp-mesh-default required for enabling telemetry freed up and functionality shifted to Istio Operator.

Outstanding CVEs

  • CVE-2010-0834 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2018-6557 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2016-2781 - No fix available.
  • CVE-2018-1000007 - No fix available.
  • CVE-2019-0190 - No fix available.
  • CVE-2019-10743 - No fix available.
  • CVE-2021-31879 - No fix available.
  • CVE-2022-27943 - No fix available.
  • CVE-2022-3219 - No fix available.
  • CVE-2022-3715 - No fix available.
  • CVE-2022-3857 - No fix available.
  • CVE-2022-48522 - No fix available.
  • CVE-2022-4899 - No fix available.
  • CVE-2023-29383 - No fix available.
  • CVE-2023-2953 - No fix available.
  • CVE-2023-34969 - No fix available.
  • CVE-2023-35116 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39326 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-39804 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4039 - No fix available.
  • CVE-2023-42363 - No fix available.
  • CVE-2023-42364 - No fix available.
  • CVE-2023-42365 - No fix available.
  • CVE-2023-42366 - No fix available.
  • CVE-2023-44487 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45142 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45283 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45284 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-45285 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-46218 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-47038 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-47108 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4806 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-4813 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-48795 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-49290 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5156 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.
  • CVE-2023-5678 - TSB does not execute the code path identified by the vulnerability and is not vulnerable.