Announcement

Attestd Now Covers Your Service Mesh: Envoy, Istio, Cilium, Calico, and Consul

RobertUpdated May 24, 20265 min read
Dark terminal-style feature image. White text reads: Your service mesh has CVEs. Now you can check them. Below it in teal monospace: envoy istio cilium calico consul. Attestd branding bottom left.

Attestd Now Covers Your Service Mesh: Envoy, Istio, Cilium, Calico, and Consul#

Five new products are live on Attestd, all in the service mesh and Kubernetes networking layer.

New products: Envoy Proxy, Istio, Cilium, Calico, HashiCorp Consul

Your service mesh is infrastructure you probably do not patch on a schedule. Envoy versions are often locked to whatever Istio ships. Cilium upgrades require coordinating across every node in the cluster. Consul deployments in platform stacks tend to move slowly because they underpin service discovery for everything else. None of these appear in a requirements.txt or get caught by npm audit. They sit below the application layer and accumulate CVEs on their own timeline.

The five products#

Envoy Proxy is the L4/L7 proxy powering the data plane inside Istio, AWS App Mesh, and most ingress controllers. CVE history clusters around the HTTP/2 codec, gRPC handling, and auth filter chains. CVE-2023-44487, the HTTP/2 rapid reset attack that caused the 2023 internet-wide DDoS incident, hit Envoy directly at CVSS 7.5. CVE-2019-9901 is a path normalization bypass at CVSS 10.0 that allows crafted URLs to circumvent access control policies.

bash
curl "https://api.attestd.io/v1/check?product=envoy&version=1.26.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Istio handles mTLS, traffic management, auth policy, and observability for Kubernetes clusters. Istio-specific CVEs scope to the control plane (istiod) rather than the data plane (Envoy), which Attestd tracks separately. CVE-2022-31045 is a memory access error triggered by ill-formed headers at CVSS 9.8. CVE-2021-39156 is an auth bypass achieved by appending a #fragment to a URI, allowing requests to bypass authorization policies at CVSS 8.1. CVE-2022-39278 crashes istiod via an oversized webhook message on port 15017 with no authentication required.

External-istiod topologies that expose port 15017 publicly carry the highest risk for the webhook denial-of-service class of vulnerability.

bash
curl "https://api.attestd.io/v1/check?product=istio&version=1.15.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Cilium is a CNCF-graduated eBPF-based CNI handling pod networking, network policy enforcement, and Gateway API for Kubernetes. eBPF enforcement runs in the kernel. A CVE in that layer affects everything running above it. CVE-2023-39347 is a network policy bypass via manipulated endpoint labels during upgrades at CVSS 8.8. CVE-2022-29178 allows any process running as group 1000 to access the Cilium API via default Unix socket permissions, also CVSS 8.8. In multi-tenant and AI cluster environments, a Cilium policy bypass collapses the segmentation that separates tenant workloads.

bash
curl "https://api.attestd.io/v1/check?product=cilium&version=1.13.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Calico is the CNI from Tigera/Project Calico, widely deployed for both iptables and eBPF networking and BGP peering on bare-metal clusters. NVD application-layer coverage is thinner than Cilium or Envoy -- this is honest. Calico passed Attestd's eligibility gate and coverage will grow as NVD enriches its CVE records. CVE-2020-13597 allows a compromised privileged pod to redirect IPv6 traffic via route advertisement when IPv6 is enabled but unused. CVE-2024-33522 is a local privilege escalation via an incorrect SUID bit on the CNI install binary at CVSS 6.7.

bash
curl "https://api.attestd.io/v1/check?product=calico&version=3.28.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

HashiCorp Consul handles service discovery, health checking, and Connect service mesh, often deployed alongside Vault in platform stacks. If you already use hashicorp_vault with Attestd, you can now cover both HashiCorp products in a single pipeline. Consul has a strong CVE history across ACL edge cases, RPC parsing, SSRF via health check redirects, and gossip protocol denial-of-service. CVE-2022-29153 is an SSRF vulnerability where the Consul client agent follows redirects from HTTP health check endpoints at CVSS 7.5. CVE-2023-3518 is an HTTP/2 stream denial-of-service at CVSS 7.5.

bash
curl "https://api.attestd.io/v1/check?product=consul&version=1.16.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

Two products that did not ship#

Eligibility for Attestd coverage is data-driven, not editorial. Every product must pass a minimum threshold of usable CVE records in NVD before being added. Two candidates evaluated in the same batch did not pass.

Linkerd has one NVD record under its merged CPE namespaces and that record has unusable version ranges. CoreDNS has two NVD records, neither with consistent version ranges. CVEs exist for both products in prose advisories, but NVD has not yet published usable structured data for them. Both will be re-evaluated when NVD enriches their CPE data.

The HTTP/2 story#

CVE-2023-44487, the HTTP/2 rapid reset attack, swept through the service mesh layer in 2023. Envoy was directly in the blast radius as the data plane behind Istio and AWS App Mesh. The same CVE class, HTTP/2 stream exhaustion, reappears in Consul (CVE-2023-3518). The pattern is consistent: any product that implements an HTTP/2 server has been in scope for this category of denial-of-service attack, and the service mesh layer is full of HTTP/2 servers.

East-west traffic between services, the traffic that Envoy, Istio, and Cilium govern, has historically received less CVE scrutiny than north-south API gateways. These five products close that gap.

Full product reference at attestd.io/docs/products.

Get an API key at api.attestd.io/portal/login. Free tier, 1,000 calls a month, no credit card required.