Skip to content
Envoy Cves

We are releasing K10 v2.0.4 today to address three High / Critical severity vulnerabilities reported by the Envoy security team on December 10. These issues can allow untrusted remote clients to crash Envoy or gain privileges that they should not have. Kasten K10, our data management platform that is purpose-built for Kubernetes provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. Just like Istio and a host of other applications, K10 also has a dependency on Envoy given our use of Ambassador (props to the Ambassador team on getting their bug-fix release out so quickly too!) to route traffic into our platform.

Given the severity of the CVEs, we recommend that all Kasten K10 users should upgrade as soon as possible. You can upgrade to the latest version of K10 by following the instructions outlined here.

The details of the Common Vulnerabilities and Exposures (CVEs) that are addressed in this release include:

  • CVE-2019-18801 (CVSS score 9.0, Critical): An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1.
  • CVE-1019-18802 (CVSS score 7.5, High): A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.
  • CVE-1019-18838 (CVSS score 7.5, High): Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.

What Made This Quick Response Possible?

Given our enterprise focus, we have a strict definition of response times for CVEs at different severity. We also scan all our container images for vulnerabilities like the above to help us catch these issues early.

However, this is simply not an issue of great security hygiene and moving quickly in response to High or Critical CVEs. We have done a lot of work internally on our engineering infrastructure to always have our master branch ready to release with a very extensive test framework and 100% test automation. Our deep test pipeline that validates every commit and release on multiple public clouds, against the Container Storage Interface (CSI), with on-premises distributions such as OpenShift, multiple applications representative of customer deployments, upgrades from previous K10 releases, and more. All of this infrastructure we have invested heavily in is what allows us to not just release regularly on a two-week cadence with confidence but also turn around security-related releases very quickly.

We take security very seriously and would love to hear from you to answer any questions! Find us on Twitter, drop us an email, or swing by our website.

-The Kasten Team

Download Free Kasten K10










For information about Kasten K10

Contact Us

For information about Kasten K10, please send us a message using the form on this page, or email us at

For product support: Open a case via Veeam
Community support: Veeam Community


Kasten, Inc. 
8800 Lyra Drive, Suite 450
Columbus, Ohio 43240

We value the critical role that the security community plays in helping us protect the confidentiality, integrity, and availability of our software, services, and information. If you have information about security vulnerabilities that affect Kasten software, services, or information, please report it to us via our HackerOne Vulnerability Disclosure Program, or anonymously via this form.

Please Send Us a Message