Announcing Istio 1.12.4
Istio 1.12.4 patch release.
This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.12.3 and 1.12.4.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- CVE-2022-23635: CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.
At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.
CVE-2021-43824: (CVSS Score 6.5, Medium): Potential null pointer dereference when using JWT filter
CVE-2021-43825: (CVSS Score 6.1, Medium): Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
CVE-2021-43826: (CVSS Score 6.1, Medium): Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.
CVE-2022-21654: (CVSS Score 7.3, High): Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
CVE-2022-21655: (CVSS Score 7.5, High): Incorrect handling of internal redirects to routes with a direct response entry.
CVE-2022-23606: (CVSS Score 4.4, Moderate): Stack exhaustion when a cluster is deleted via Cluster Discovery Service.
- Fixed an issue where service update does not trigger route update. (Issue #37356)