ISTIO-SECURITY-2019-003
Denial of service in regular expression parsing.
Disclosure Details | |
---|---|
CVE(s) | CVE-2019-14993 |
CVSS Impact Score | 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Releases | 1.1 to 1.1.12 1.2 to 1.2.3 |
An Envoy user reported publicly an issue (c.f. Envoy Issue 7728) about regular expressions (or regex) matching
that crashes Envoy with very large URIs. After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: JWT
, VirtualService
, HTTPAPISpecBinding
, QuotaSpecBinding
.
Impact and detection
To detect if there is any regular expressions used in Istio APIs in your cluster, run the following command which prints either of the following output:
- YOU ARE AFFECTED: found regex used in
AuthenticationPolicy
orVirtualService
- YOU ARE NOT AFFECTED: did not find regex usage
Mitigation
- For Istio 1.1.x deployments: update to Istio 1.1.13 or later
- For Istio 1.2.x deployments: update to Istio 1.2.4 or later.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.