Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.

Jul 26, 2022

Disclosure Details
CVSS Impact Score5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases1.13.6

Do not use Istio 1.14.2 and Istio 1.13.6

Due to a process issue, CVE-2022-31045 was not included in our Istio 1.14.2 and Istio 1.13.6 builds.

At this time we suggest you do not install 1.14.2 or 1.13.6 in a production environment. If you have, you may downgrade to Istio 1.14.1 or Istio 1.13.5. Istio 1.14.3 and Istio 1.13.7 are expected to be released later this week.