Announcing Istio 1.18.2
Istio 1.18.2 patch release.
This release fixes the security vulnerabilities described in our July 25th post, ISTIO-SECURITY-2023-003.
This release note describes what’s different between Istio 1.18.1 and 1.18.2.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
- CVE-2023-35941: (CVSS Score 8.6, High): OAuth2 credentials exploit with permanent validity.
- CVE-2023-35942: (CVSS Score 6.5, Moderate): gRPC access log crash caused by the listener draining.
- CVE-2023-35943: (CVSS Score 6.3, Moderate): CORS filter segfault when origin header is removed.
- CVE-2023-35944: (CVSS Score 8.2, High): Incorrect handling of HTTP requests and responses with mixed case schemes in Envoy.
Changes
- Added support for a flag called
USE_EXTERNAL_WORKLOAD_SDS. When set to true, it will require an external SDS workload socket and will prevent the istio-proxy from starting if the workload SDS socket is not found. (Issue #45534)