Security Bulletins

Disclosed security vulnerabilities and their mitigation.

DisclosureDateAffected ReleasesImpact ScoreRelated
ISTIO-SECURITY-2020-005May 12, 20201.4 to 1.4.8
1.5 to 1.5.3
7.5
ISTIO-SECURITY-2020-004March 25, 20201.4 to 1.4.6
1.5
8.7Default Kiali security configuration allows full control of mesh
ISTIO-SECURITY-2020-003March 3, 20201.4 to 1.4.5
7.5Two Uncontrolled Resource Consumption and Two Incorrect Access Control Vulnerabilities in Envoy
ISTIO-SECURITY-2020-001February 11, 20201.3 to 1.3.7
1.4 to 1.4.3
9.0Authentication Policy bypass
ISTIO-SECURITY-2020-002February 11, 20201.3 to 1.3.6
7.4Mixer policy check bypass caused by improperly accepting certain request headers
ISTIO-SECURITY-2019-007December 10, 20191.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006November 7, 20191.3 to 1.3.4
7.5Denial of service
ISTIO-SECURITY-2019-005October 8, 20191.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerabilitySeptember 10, 20191.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-003August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Denial of service in regular expression parsing
ISTIO-SECURITY-2019-004August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-002June 28, 20191.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001May 28, 20191.1 to 1.1.6
8.9Incorrect access control