Announcing Istio 1.4.10

Istio 1.4.10 security release.

Jun 22, 2020

This is the final release for Istio 1.4.

This release fixes the security vulnerability described in our June 11th, 2020 news post as well as bug fixes to improve robustness.

This release note describes what’s different between Istio 1.4.9 and Istio 1.4.10.

Security update

CVE-2020-11080: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

Bug fixes

Bookinfo sample application security fixes

We’ve updated the versions of Node.js and jQuery used in the Bookinfo sample application. Node.js has been upgraded from version 12.9 to 12.18. jQuery has been updated from version 2.1.4 to version 3.5.0. The highest rated vulnerability fixed: HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)