Announcing Istio 1.9.8

This release fixes the security vulnerabilities described in our August 24th post, ISTIO-SECURITY-2021-008 as well as a few minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.9.7 and 1.9.8.

Security update

• CVE-2021-39155 (CVE-2021-32779): Istio authorization policies incorrectly compare the host header in a case-sensitive manner against RFC 4343 with states it should be case-insensitive. Envoy routes the request hostname in a case-insensitive way which means the authorization policy could be bypassed.

  • CVSS Score: 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

• CVE-2021-39156: Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (e.g. #Section) in the path may bypass Istio’s URI path based authorization policies.

  • CVSS Score: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Envoy Security updates

• CVE-2021-32777 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an HTTP request with multiple value headers may bypass authorization policies when using the ext_authz extension.

• CVE-2021-32778 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests may lead to excessive CPU consumption.

• CVE-2021-32781 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally.

Changes

• Fixed users adding invalid ciphers to Gateway cipherSuites. (Issue 34084)