Security Bulletins
Disclosed security vulnerabilities and their mitigation.
| Disclosure | Date | Affected Releases | Impact Score | Related |
|---|---|---|---|---|
| ISTIO-SECURITY-2024-002 | April 8, 2024 | All releases prior to 1.19.0 1.19.0 to 1.19.8 1.20.0 to 1.20.4 1.21.0 | 7.5 | CVEs reported by Envoy and Go |
| ISTIO-SECURITY-2024-001 | February 9, 2024 | All releases prior to 1.19.0 1.19.0 to 1.19.6 1.20.0 to 1.20.2 | 8.6 | CVEs reported by Envoy |
| ISTIO-SECURITY-2023-005 | December 12, 2023 | All releases prior to 1.18.0 1.18.0 to 1.18.5 1.19.0 to 1.19.4 1.20.0 | N/A | Changes to Istio CNI RBAC permissions |
| ISTIO-SECURITY-2023-004 | October 11, 2023 | All releases prior to 1.17.0 1.17.0 to 1.17.6 1.18.0 to 1.18.3 1.19.0 to 1.19.1 | 7.5 | CVEs reported by Envoy and Go |
| ISTIO-SECURITY-2023-003 | July 25, 2023 | All releases prior to 1.16.0 1.16.0 to 1.16.6 1.17.0 to 1.17.4 1.18.0 to 1.18.1 | 8.6 | CVEs reported by Envoy |
| ISTIO-SECURITY-2023-002 | July 14, 2023 | All releases prior to 1.16.0 1.16.0 to 1.16.5 1.17.0 to 1.17.3 1.18.0 | 7.5 | CVE reported by Envoy |
| ISTIO-SECURITY-2023-001 | April 4, 2023 | All releases prior to 1.15.0 1.15.0 to 1.15.6 1.16.0 to 1.16.3 1.17.0 to 1.17.1 | 8.2 | Multiple CVEs reported by Envoy |
| ISTIO-SECURITY-2022-008 | November 9, 2022 | 1.15.2 | 7.6 | Identity impersonation if user has localhost access |
| ISTIO-SECURITY-2022-007 | October 12, 2022 | All releases prior to 1.13 1.13.0 to 1.13.8 1.14.0 to 1.14.4 1.15.0 to 1.15.1 | 7.5 | Denial of service attack due to Go Regex Library |
| ISTIO-SECURITY-2022-006 | July 26, 2022 | 1.13.6 1.14.2 | 5.9 | Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing |
| ISTIO-SECURITY-2022-005 | June 9, 2022 | All releases prior to 1.12.0 1.12.0 to 1.12.7 1.13.0 to 1.13.4 1.14.0 | 7.5 | Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing |
| ISTIO-SECURITY-2022-004 | March 9, 2022 | All releases prior to 1.11.0 1.11.0 to 1.11.7 1.12.0 to 1.12.4 1.13.0 to 1.13.1 | 7.5 | Unauthenticated control plane denial of service attack due to stack exhaustion |
| ISTIO-SECURITY-2022-003 | February 22, 2022 | All releases prior to 1.11.0 1.11.0 to 1.11.6 1.12.0 to 1.12.3 1.13.0 | 7.5 | Multiple CVEs related to istiod Denial of Service and Envoy |
| ISTIO-SECURITY-2022-001 | January 18, 2022 | 1.12.0 to 1.12.1 | 6.8 | Authorization Policy For Host Rules During Upgrades |
| ISTIO-SECURITY-2022-002 | January 18, 2022 | 1.12.0 to 1.12.1 | 4.7 | Privileged Escalation in Kubernetes Gateway API |
| ISTIO-SECURITY-2021-008 | August 24, 2021 | All releases prior to 1.9.8 1.10.0 to 1.10.3 1.11.0 | 8.6 | Multiple CVEs related to AuthorizationPolicy, EnvoyFilter and Envoy |
| ISTIO-SECURITY-2021-007 | June 24, 2021 | All 1.8 patch releases 1.9.0 to 1.9.5 1.10.0 to 1.10.1 | 9.1 | Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces |
| ISTIO-SECURITY-2021-005 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 8.1 | HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules |
| ISTIO-SECURITY-2021-006 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 10 | An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration |
| ISTIO-SECURITY-2021-003 | April 15, 2021 | All releases prior to 1.8.5 1.9.0 to 1.9.2 | 7.5 | |
| ISTIO-SECURITY-2021-004 | April 15, 2021 | All releases 1.5 and later | N/A | Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic |
| ISTIO-SECURITY-2021-002 | April 7, 2021 | All releases 1.6 and later | N/A | Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports |
| ISTIO-SECURITY-2021-001 | March 1, 2021 | 1.9.0 | 8.2 | JWT authentication can be bypassed when AuthorizationPolicy is misused |
| ISTIO-SECURITY-2020-011 | November 21, 2020 | 1.8.0 | N/A | Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections |
| ISTIO-SECURITY-2020-010 | September 29, 2020 | 1.6 to 1.6.10 1.7 to 1.7.2 | 8.3 | |
| ISTIO-SECURITY-2020-009 | August 11, 2020 | 1.5 to 1.5.8 1.6 to 1.6.7 | 6.8 | Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services |
| ISTIO-SECURITY-2020-008 | July 9, 2020 | 1.5 to 1.5.7 1.6 to 1.6.4 All releases prior to 1.5 | 6.6 | Incorrect validation of wildcard DNS Subject Alternative Names |
| ISTIO-SECURITY-2020-007 | June 30, 2020 | 1.5 to 1.5.6 1.6 to 1.6.3 | 7.5 | Multiple denial of service vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-006 | June 11, 2020 | 1.4 to 1.4.9 1.5 to 1.5.4 1.6 to 1.6.1 | 7.5 | Denial of service in the HTTP2 library used by Envoy |
| ISTIO-SECURITY-2020-005 | May 12, 2020 | 1.4 to 1.4.8 1.5 to 1.5.3 | 7.5 | Denial of service affecting telemetry v2 |
| ISTIO-SECURITY-2020-004 | March 25, 2020 | 1.4 to 1.4.6 1.5 | 8.7 | Default Kiali security configuration allows full control of mesh |
| ISTIO-SECURITY-2020-003 | March 3, 2020 | 1.4 to 1.4.5 | 7.5 | Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-001 | February 11, 2020 | 1.3 to 1.3.7 1.4 to 1.4.3 | 9.0 | Authentication Policy bypass |
| ISTIO-SECURITY-2020-002 | February 11, 2020 | 1.3 to 1.3.6 | 7.4 | Mixer policy check bypass caused by improperly accepting certain request headers |
| ISTIO-SECURITY-2019-007 | December 10, 2019 | 1.2 to 1.2.9 1.3 to 1.3.5 1.4 to 1.4.1 | 9.0 | Heap overflow and improper input validation in Envoy |
| ISTIO-SECURITY-2019-006 | November 7, 2019 | 1.3 to 1.3.4 | 7.5 | Denial of service |
| ISTIO-SECURITY-2019-005 | October 8, 2019 | 1.1 to 1.1.15 1.2 to 1.2.6 1.3 to 1.3.1 | 7.5 | Denial of service caused by the presence of numerous HTTP headers in client requests |
| Istio 1.2.4 sidecar image vulnerability | September 10, 2019 | 1.2 to 1.2.4 | An erroneous 1.2.4 sidecar image was available due to a faulty release operation | |
| ISTIO-SECURITY-2019-003 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Denial of service in regular expression parsing |
| ISTIO-SECURITY-2019-004 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Multiple denial of service vulnerabilities related to HTTP2 support in Envoy |
| ISTIO-SECURITY-2019-002 | June 28, 2019 | 1.0 to 1.0.8 1.1 to 1.1.9 1.2 to 1.2.1 | 7.5 | Denial of service affecting JWT access token parsing |
| ISTIO-SECURITY-2019-001 | May 28, 2019 | 1.1 to 1.1.6 | 8.9 | Incorrect access control |