This release fixes the security vulnerabilities described in our February 22nd post, ISTIO-SECURITY-2022-003. This release note describes what’s different between Istio 1.13.0 and 1.13.1.

Security update

• CVE-2022-23635: CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

• CVE-2021-43824: (CVSS Score 6.5, Medium): Potential null pointer dereference when using JWT filter safe_regex match.

• CVE-2021-43825: (CVSS Score 6.1, Medium): Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.

• CVE-2021-43826: (CVSS Score 6.1, Medium): Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.

• CVE-2022-21654: (CVSS Score 7.3, High): Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.

• CVE-2022-21655: (CVSS Score 7.5, High): Incorrect handling of internal redirects to routes with a direct response entry.

• CVE-2022-23606: (CVSS Score 4.4, Moderate): Stack exhaustion when a cluster is deleted via Cluster Discovery Service.

Changes

• Fixed istioctl x describe svc not evaluating port appProtocol properly. (Issue #37159)

• Fixed an issue where service update does not trigger route update. (Issue #37356)