Security Bulletins

Disclosed security vulnerabilities and their mitigation.

DisclosureDateAffected ReleasesImpact ScoreRelated
ISTIO-SECURITY-2021-007June 24, 2021All 1.8 patch releases
1.9.0 to 1.9.5
1.10.0 to 1.10.1
9.1Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces
ISTIO-SECURITY-2021-006May 11, 2021All releases prior to 1.8.6
1.9.0 to 1.9.4
10An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration
ISTIO-SECURITY-2021-005May 11, 2021All releases prior to 1.8.6
1.9.0 to 1.9.4
8.1HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules
ISTIO-SECURITY-2021-003April 15, 2021All releases prior to 1.8.5
1.9.0 to 1.9.2
7.5
ISTIO-SECURITY-2021-004April 15, 2021All releases 1.5 and later
N/APotential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic
ISTIO-SECURITY-2021-002April 7, 2021All releases 1.6 and later
N/AUpgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports
ISTIO-SECURITY-2021-001March 1, 20211.9.0
8.2JWT authentication can be bypassed when AuthorizationPolicy is misused
ISTIO-SECURITY-2020-011November 21, 20201.8.0
N/AEnvoy incorrectly restores the proxy protocol downstream address for non-HTTP connections
ISTIO-SECURITY-2020-010September 29, 20201.6 to 1.6.10
1.7 to 1.7.2
8.3
ISTIO-SECURITY-2020-009August 11, 20201.5 to 1.5.8
1.6 to 1.6.7
6.8Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services
ISTIO-SECURITY-2020-008July 9, 20201.5 to 1.5.7
1.6 to 1.6.4
All releases prior to 1.5
6.6Incorrect validation of wildcard DNS Subject Alternative Names
ISTIO-SECURITY-2020-007June 30, 20201.5 to 1.5.6
1.6 to 1.6.3
7.5Multiple denial of service vulnerabilities in Envoy
ISTIO-SECURITY-2020-006June 11, 20201.4 to 1.4.9
1.5 to 1.5.4
1.6 to 1.6.1
7.5Denial of service in the HTTP2 library used by Envoy
ISTIO-SECURITY-2020-005May 12, 20201.4 to 1.4.8
1.5 to 1.5.3
7.5Denial of service affecting telemetry v2
ISTIO-SECURITY-2020-004March 25, 20201.4 to 1.4.6
1.5
8.7Default Kiali security configuration allows full control of mesh
ISTIO-SECURITY-2020-003March 3, 20201.4 to 1.4.5
7.5Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy
ISTIO-SECURITY-2020-002February 11, 20201.3 to 1.3.6
7.4Mixer policy check bypass caused by improperly accepting certain request headers
ISTIO-SECURITY-2020-001February 11, 20201.3 to 1.3.7
1.4 to 1.4.3
9.0Authentication Policy bypass
ISTIO-SECURITY-2019-007December 10, 20191.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006November 7, 20191.3 to 1.3.4
7.5Denial of service
ISTIO-SECURITY-2019-005October 8, 20191.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerabilitySeptember 10, 20191.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-004August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-003August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Denial of service in regular expression parsing
ISTIO-SECURITY-2019-002June 28, 20191.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001May 28, 20191.1 to 1.1.6
8.9Incorrect access control