Announcing Istio 1.12.5
Istio 1.12.5 patch release.
This release fixes the security vulnerabilities described in our March 9th post, ISTIO-SECURITY-2022-004. This release note describes what’s different between Istio 1.12.4 and 1.12.5.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- CVE-2022-24726: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack due to stack exhaustion.
Fixed an issue with Delta CDS where a removed service port would persist after being updated. (Pull Request #37454)
Fixed an issue where CNI ignored traffic annotations. (Issue #37637)
Fixed a bug where cache entries were never updated. (Pull Request #37578)
At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.
CVE-2022-21656 (CVSS Score 3.1, Low):X.509
CVE-2022-21657 (CVSS Score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass.