ISTIO-SECURITY-2019-005
Denial of service caused by the presence of numerous HTTP headers in client requests.
Disclosure Details | |
---|---|
CVE(s) | CVE-2019-15226 |
CVSS Impact Score | 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Releases | 1.1 to 1.1.15 1.2 to 1.2.6 1.3 to 1.3.1 |
Envoy, and subsequently Istio, are vulnerable to the following DoS attack. Upon receiving each incoming request, Envoy will iterate over the request headers to verify that the total size of the headers stays below a maximum limit. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
Impact and detection
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.
Mitigation
- For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then upgrade the data plane to Istio 1.1.16 or later.
- For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then upgrade the data plane to Istio 1.2.7 or later.
- For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then upgrade the data plane to Istio 1.3.2 or later.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.