Feature Request: Release Envoy v1.25.4

[suniltheta]

The Envoy team released v1.25.4: https://github.com/envoyproxy/envoy/releases/tag/v1.25.4.

We should update the App Mesh Envoy Container Image to v1.25.4.

[suniltheta]

The images have been released:

• For me-south-1:

  772975370895.dkr.ecr.me-south-1.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• For ap-east-1:

  856666278305.dkr.ecr.ap-east-1.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• For eu-south-1:

  422531588944.dkr.ecr.eu-south-1.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• For af-south-1:

  924023996002.dkr.ecr.af-south-1.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• For cn-north-1:

  919366029133.dkr.ecr.cn-north-1.amazonaws.com.cn/aws-appmesh-envoy:v1.25.4.0-prod

• For cn-northwest-1:

  919830735681.dkr.ecr.cn-northwest-1.amazonaws.com.cn/aws-appmesh-envoy:v1.25.4.0-prod

• For ap-southeast-3:

  909464085924.dkr.ecr.ap-southeast-3.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• For all other regions where App Mesh is available:

  840364872350.dkr.ecr.<region>.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

  e.g.

  840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmesh-envoy:v1.25.4.0-prod

• Public ECR Image:

  public.ecr.aws/appmesh/aws-appmesh-envoy:v1.25.4.0-prod

We'll keep this issue open as we update the recommended image our other projects (e.g. aws/aws-app-mesh-controller-for-k8s), examples, and documentation.

[suniltheta]

Thanks to Envoy maintainers & community this image provides fixes for the following CVEs:

• CVE-2023-27487
• CVE-2023-27491
• CVE-2023-27492
• CVE-2023-27493
• CVE-2023-27488
• CVE-2023-27496

Refer: https://github.com/envoyproxy/envoy/security/advisories

[suniltheta]

⚠️⚠️ Caution while upgrading to this image ⚠️⚠️

A CVE-2023-27487 fix (commit: 4a8cc2e) made in Envoy will sanitizing header x-envoy-original-path correctly. So, expect a change in the header value when received by the upstream services. If you think this vulnerability condition is not applicable in your scenario and you want to disable the feature envoy.reloadable_features.sanitize_original_path then you can set the env variable in Envoy container ENVOY_SANITIZE_ORIGINAL_PATH to false (Context: https://github.com/aws/amazon-ecs-service-connect-agent/pull/15).

[suniltheta]

The above CVE fix was updated to sanitize the header only on edge Envoy proxy since v1.25.5 release on Envoy. So in Envoy v1.26.4 release the behavior will not change unless the Envoy is determined as edge proxy.