Announcing Istio 1.17.2
Istio 1.17.2 patch release.
This release fixes the security vulnerabilities described in our April 4th post, ISTIO-SECURITY-2023-001. This release note describes what’s different between Istio 1.17.1 and 1.17.2.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header
x-envoy-original-path
.CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
Changes
Added support for pushing additional federated trust domains from
caCertificates
to the peer SAN validator. (Issue #41666)Fixed overwriting label
istio.io/rev
in injected gateways whenistio.io/rev=<tag>
. (Issue #33237)Fixed an issue where you could not disable tracing in
ProxyConfig
. (Issue #31809)Fixed admission webhook fails with custom header value format. (Issue #42749)
Fixed a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for
CLIENT
orSERVER
will not affect each other. (Issue #43371)Fixed an issue where
EnvoyFilter
forCluster.ConnectTimeout
was affecting unrelatedClusters
. (Issue #43435)Fixed a bug in
istioctl analyze
where some messages are missed when there are services with no selector in the analyzed namespace. (PR #43678)Fixed resource namespace resolution for
istioctl
commands. (Issue #43691)Fixed an issue where auto allocated service entry IPs change on host reuse. (Issue #43858)
Fixed an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17. (Issue #43785)
Fixed reconciliation logic in the validation webhook controller to rate-limit the retries in the loop. This should drastically reduce churn (and generated logs) in cases of misconfiguration. (Issue #32210)
Fixed an issue causing VMs using auto-registration to ignore labels other than those defined in a
WorkloadGroup
. (PR #44012)Fixed
istioctl experimental wait
has undecipherable message whenPILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
is not enabled. (Issue #42967)