Announcing Istio 1.11.1
Istio 1.11.1 patch release.
This release fixes the security vulnerabilities described in our August 24th post, ISTIO-SECURITY-2021-008. This release note describes what’s different between Istio 1.11.0 and 1.11.1.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
CVE-2021-39155 (CVE-2021-32779): Istio authorization policies incorrectly compare the host header in a case-sensitive manner against RFC 4343 with states it should be case-insensitive. Envoy routes the request hostname in a case-insensitive way which means the authorization policy could be bypassed.
- CVSS Score: 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CVE-2021-39156: Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (e.g. #Section) in the path may bypass Istio’s URI path based authorization policies.
- CVSS Score: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Envoy Security updates
CVE-2021-32777 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an HTTP request with multiple value headers may bypass authorization policies when using the
CVE-2021-32778 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests may lead to excessive CPU consumption.
CVE-2021-32780 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an untrusted upstream service may cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the
SETTINGS_MAX_CONCURRENT_STREAMSparameter set to 0. Note: this vulnerability does not impact downstream client connections.
CVE-2021-32781 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally.