Announcing Istio 1.9.5
Istio 1.9.5 patch release.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (
%5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the ISTIO-SECURITY-2021-005 bulletin for more details.
- CVSS Score: 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy’s authorization mechanisms.
- CVSS Score: 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with
AUTO_PASSTHROUGHrouting configuration. See the ISTIO-SECURITY-2021-006 bulletin for more details.
- CVSS Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
This change can be temporarily disabled if desired by setting the environment variable
PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH=true in Istiod. However, this is strongly discouraged, as it negates the fix to ISTIO-SECURITY-2021-006.
Please follow the Multicluster Installation documentation for more information.