Announcing Istio 1.13.2

Istio 1.13.2 patch release.

Mar 9, 2022

This release fixes the security vulnerabilities described in our March 9th post, ISTIO-SECURITY-2022-004. This release note describes what’s different between Istio 1.13.1 and 1.13.2.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security update

CVE-2022-24726: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack due to stack exhaustion.

Changes

Added an OpenTelemetry access log provider. (Issue #36637)
Added support for using default JSON access logs format with Telemetry API. (Issue #37663)
Fixed describe pod not showing the VirtualService info if the gateway is set to TLS ingress gateway. (Issue #35301)
Fixed an issue where traffic.sidecar.istio.io/includeOutboundPorts annotation does not take effect when using CNI. (Issue #37637)
Fixed an issue where when enabling Stackdriver metrics collection with the Telemetry API, logging was incorrectly enabled in certain scenarios. (Issue #37667)

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

CVE-2022-21656 (CVSS Score 3.1, Low):X.509 subjectAltName matching (and nameConstraints) bypass.
CVE-2022-21657 (CVSS Score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass.