Denial of service affecting telemetry v2.
|CVSS Impact Score||7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H|
|Affected Releases||1.4 to 1.4.8|
1.5 to 1.5.3
Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:
By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
- CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- For Istio 1.4.x deployments: update to Istio 1.4.9 or later.
- For Istio 1.5.x deployments: update to Istio 1.5.4 or later.
- Workaround: Alternatively, you can disable telemetry v2 by running the following:
$ istioctl manifest apply --set values.telemetry.v2.enabled=false
We’d like to thank
Joren Zandstra for the original bug report.
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.