days to Istio 1.5

ISTIO-SECURITY-2019-006

Security Bulletin

Disclosure Details
CVE(s)CVE-2019-18817
CVSS Impact Score7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
Affected Releases1.3 to 1.3.4

Envoy, and subsequently Istio, are vulnerable to the following DoS attack. An infinite loop can be triggered in Envoy if the option continue_on_listener_filters_timeout is set to True. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3 A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoy’s CPU resources and causing a denial-of-service attack.

Impact and detection

Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.

Mitigation

  • Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in installation options ), using Helm to override the following options:

    --set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
    
  • For Istio 1.3.x deployments: update to Istio 1.3.5 or later.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!