Security Bulletins

Disclosed security vulnerabilities and their mitigation.

DisclosureDateAffected ReleasesImpact ScoreRelated
ISTIO-SECURITY-2024-001February 9, 2024All releases prior to 1.19.0
1.19.0 to 1.19.6
1.20.0 to 1.20.2
8.6CVEs reported by Envoy
ISTIO-SECURITY-2023-005December 12, 2023All releases prior to 1.18.0
1.18.0 to 1.18.5
1.19.0 to 1.19.4
1.20.0
N/AChanges to Istio CNI RBAC permissions
ISTIO-SECURITY-2023-004October 11, 2023All releases prior to 1.17.0
1.17.0 to 1.17.6
1.18.0 to 1.18.3
1.19.0 to 1.19.1
7.5CVEs reported by Envoy and Go
ISTIO-SECURITY-2023-003July 25, 2023All releases prior to 1.16.0
1.16.0 to 1.16.6
1.17.0 to 1.17.4
1.18.0 to 1.18.1
8.6CVEs reported by Envoy
ISTIO-SECURITY-2023-002July 14, 2023All releases prior to 1.16.0
1.16.0 to 1.16.5
1.17.0 to 1.17.3
1.18.0
7.5CVE reported by Envoy
ISTIO-SECURITY-2023-001April 4, 2023All releases prior to 1.15.0
1.15.0 to 1.15.6
1.16.0 to 1.16.3
1.17.0 to 1.17.1
8.2Multiple CVEs reported by Envoy
ISTIO-SECURITY-2022-008November 9, 20221.15.2
7.6Identity impersonation if user has localhost access
ISTIO-SECURITY-2022-007October 12, 2022All releases prior to 1.13
1.13.0 to 1.13.8
1.14.0 to 1.14.4
1.15.0 to 1.15.1
7.5Denial of service attack due to Go Regex Library
ISTIO-SECURITY-2022-006July 26, 20221.13.6
1.14.2
5.9Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing
ISTIO-SECURITY-2022-005June 9, 2022All releases prior to 1.12.0
1.12.0 to 1.12.7
1.13.0 to 1.13.4
1.14.0
7.5Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing
ISTIO-SECURITY-2022-004March 9, 2022All releases prior to 1.11.0
1.11.0 to 1.11.7
1.12.0 to 1.12.4
1.13.0 to 1.13.1
7.5Unauthenticated control plane denial of service attack due to stack exhaustion
ISTIO-SECURITY-2022-003February 22, 2022All releases prior to 1.11.0
1.11.0 to 1.11.6
1.12.0 to 1.12.3
1.13.0
7.5Multiple CVEs related to istiod Denial of Service and Envoy
ISTIO-SECURITY-2022-001January 18, 20221.12.0 to 1.12.1
6.8Authorization Policy For Host Rules During Upgrades
ISTIO-SECURITY-2022-002January 18, 20221.12.0 to 1.12.1
4.7Privileged Escalation in Kubernetes Gateway API
ISTIO-SECURITY-2021-008August 24, 2021All releases prior to 1.9.8
1.10.0 to 1.10.3
1.11.0
8.6Multiple CVEs related to AuthorizationPolicy, EnvoyFilter and Envoy
ISTIO-SECURITY-2021-007June 24, 2021All 1.8 patch releases
1.9.0 to 1.9.5
1.10.0 to 1.10.1
9.1Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces
ISTIO-SECURITY-2021-005May 11, 2021All releases prior to 1.8.6
1.9.0 to 1.9.4
8.1HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules
ISTIO-SECURITY-2021-006May 11, 2021All releases prior to 1.8.6
1.9.0 to 1.9.4
10An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration
ISTIO-SECURITY-2021-003April 15, 2021All releases prior to 1.8.5
1.9.0 to 1.9.2
7.5
ISTIO-SECURITY-2021-004April 15, 2021All releases 1.5 and later
N/APotential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic
ISTIO-SECURITY-2021-002April 7, 2021All releases 1.6 and later
N/AUpgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports
ISTIO-SECURITY-2021-001March 1, 20211.9.0
8.2JWT authentication can be bypassed when AuthorizationPolicy is misused
ISTIO-SECURITY-2020-011November 21, 20201.8.0
N/AEnvoy incorrectly restores the proxy protocol downstream address for non-HTTP connections
ISTIO-SECURITY-2020-010September 29, 20201.6 to 1.6.10
1.7 to 1.7.2
8.3
ISTIO-SECURITY-2020-009August 11, 20201.5 to 1.5.8
1.6 to 1.6.7
6.8Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services
ISTIO-SECURITY-2020-008July 9, 20201.5 to 1.5.7
1.6 to 1.6.4
All releases prior to 1.5
6.6Incorrect validation of wildcard DNS Subject Alternative Names
ISTIO-SECURITY-2020-007June 30, 20201.5 to 1.5.6
1.6 to 1.6.3
7.5Multiple denial of service vulnerabilities in Envoy
ISTIO-SECURITY-2020-006June 11, 20201.4 to 1.4.9
1.5 to 1.5.4
1.6 to 1.6.1
7.5Denial of service in the HTTP2 library used by Envoy
ISTIO-SECURITY-2020-005May 12, 20201.4 to 1.4.8
1.5 to 1.5.3
7.5Denial of service affecting telemetry v2
ISTIO-SECURITY-2020-004March 25, 20201.4 to 1.4.6
1.5
8.7Default Kiali security configuration allows full control of mesh
ISTIO-SECURITY-2020-003March 3, 20201.4 to 1.4.5
7.5Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy
ISTIO-SECURITY-2020-001February 11, 20201.3 to 1.3.7
1.4 to 1.4.3
9.0Authentication Policy bypass
ISTIO-SECURITY-2020-002February 11, 20201.3 to 1.3.6
7.4Mixer policy check bypass caused by improperly accepting certain request headers
ISTIO-SECURITY-2019-007December 10, 20191.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006November 7, 20191.3 to 1.3.4
7.5Denial of service
ISTIO-SECURITY-2019-005October 8, 20191.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerabilitySeptember 10, 20191.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-003August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Denial of service in regular expression parsing
ISTIO-SECURITY-2019-004August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-002June 28, 20191.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001May 28, 20191.1 to 1.1.6
8.9Incorrect access control