Announcing Istio 1.12.2

Istio 1.12.2 patch release.

Jan 18, 2022

This release fixes security vulnerabilities described on January 18th (ISTIO-SECURITY-2022-001 and ISTIO-SECURITY-2022-002) and includes minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.12.1 and Istio 1.12.2.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security Update

CVE-2022-21679: Istio versions 1.12.0 and 1.12.1 contain a vulnerability where configuration for proxies at version 1.11 is generated incorrectly, affecting the hosts and notHosts field in the authorization policy.
CVE-2022-21701: Istio versions 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod.

Changes

Added privileged flag to Istio-CNI Helm charts to set securityContext flag. (Issue #34211)
Fixed an issue where enabling tracing with telemetry API would cause a malformed host header being used at the trace report request. (Issue #35750)
Fixed istioctl pc log command label selector not selecting the default pod. (Issue #36182)
Fixed an issue where istioctl analyze falsely warned of a VirtualService prefix match overlap. (Issue #36245)
Fixed omitted setting .Values.sidecarInjectiorWebhook.enableNamespacesByDefault in the default revision mutating webhook and added –auto-inject-namespaces flag to istioctl tag controlling this setting. (Issue #36258)
Fixed values in the Istio Gateway Helm charts for configuring annotations on the Service. Can be used to configure load balancer in public clouds. (Pull Request #36384)
Fixed the incorrect format of version and revision in the build info. (Pull Request #36409)
Fixed an issue where stale endpoints can be configured when a service gets deleted and created again. (Issue #36510)
Fixed an issue that sidecar iptables will cause intermittent connection reset due to the out of window packet. Introduced a flag meshConfig.defaultConfig.proxyMetadata.INVALID_DROP to control this setting. (Issue #36489)
Fixed operator init --dry-run creates unexpected namespaces. (Pull Request #36570)
Fixed an issue where setting includeInboundPorts with helm values does not take effect. (Issue #36644)
Fixed endpoint slice cache memory leak. (Pull Request #36518)
Fixed changes in delegate virtual service not taking effect when RDS cache enabled. (Issue #36525)
Fixed an issue when using Envoy v3alpha APIs in EnvoyFilters. (Issue #36537)