Announcing Istio 1.15.7

Istio 1.15.7 patch release.

Apr 4, 2023

This release fixes the security vulnerabilities described in our April 4th post, ISTIO-SECURITY-2023-001. This release note describes what’s different between Istio 1.15.6 and 1.15.7.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security update

CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header x-envoy-original-path.
CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.

Changes

Fixed an issue where you could not change PrivateKeyProvider using proxy-config. (Issue #41760)
Fixed an issue where istioctl analyze was throwing a SIGSEGV when the optional field ‘filter’ was missing under the EnvoyFilter.ListenerMatch.FilterChainMatch section. (Issue #42831)
Fixed an issue where EnvoyFilter for Cluster.ConnectTimeout was affecting unrelated Clusters. (Issue #43435)