Security Bulletins
Disclosed security vulnerabilities and their mitigation.
| Disclosure | Date | Affected Releases | Impact Score | Related |
|---|---|---|---|---|
| ISTIO-SECURITY-2020-005 | May 12, 2020 | 1.4 to 1.4.8 1.5 to 1.5.3 | 7.5 | |
| ISTIO-SECURITY-2020-004 | March 25, 2020 | 1.4 to 1.4.6 1.5 | 8.7 | Default Kiali security configuration allows full control of mesh |
| ISTIO-SECURITY-2020-003 | March 3, 2020 | 1.4 to 1.4.5 | 7.5 | Two Uncontrolled Resource Consumption and Two Incorrect Access Control Vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-001 | February 11, 2020 | 1.3 to 1.3.7 1.4 to 1.4.3 | 9.0 | Authentication Policy bypass |
| ISTIO-SECURITY-2020-002 | February 11, 2020 | 1.3 to 1.3.6 | 7.4 | Mixer policy check bypass caused by improperly accepting certain request headers |
| ISTIO-SECURITY-2019-007 | December 10, 2019 | 1.2 to 1.2.9 1.3 to 1.3.5 1.4 to 1.4.1 | 9.0 | Heap overflow and improper input validation in Envoy |
| ISTIO-SECURITY-2019-006 | November 7, 2019 | 1.3 to 1.3.4 | 7.5 | Denial of service |
| ISTIO-SECURITY-2019-005 | October 8, 2019 | 1.1 to 1.1.15 1.2 to 1.2.6 1.3 to 1.3.1 | 7.5 | Denial of service caused by the presence of numerous HTTP headers in client requests |
| Istio 1.2.4 sidecar image vulnerability | September 10, 2019 | 1.2 to 1.2.4 | An erroneous 1.2.4 sidecar image was available due to a faulty release operation | |
| ISTIO-SECURITY-2019-003 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Denial of service in regular expression parsing |
| ISTIO-SECURITY-2019-004 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Multiple denial of service vulnerabilities related to HTTP2 support in Envoy |
| ISTIO-SECURITY-2019-002 | June 28, 2019 | 1.0 to 1.0.8 1.1 to 1.1.9 1.2 to 1.2.1 | 7.5 | Denial of service affecting JWT access token parsing |
| ISTIO-SECURITY-2019-001 | May 28, 2019 | 1.1 to 1.1.6 | 8.9 | Incorrect access control |