Announcing Istio 1.2.4
Patch Release
We’re pleased to announce the availability of Istio 1.2.4. Please see below for what’s changed.
ANTES DE ATUALIZAR
Coisas para saber e preparar antes da atualização.
BAIXAR
Baixe e instale esta versão.
DOCS
Visite a documentação para esta versão.
ALTERAÇÕES NO SOURCE
Inspecione o conjunto completo de alterações no código fonte.
Security update
This release contains fixes for the security vulnerabilities described in ISTIO-SECURITY-2019-003] ISTIO-SECURITY-2019-004. Specifically:
ISTIO-SECURITY-2019-003: An Envoy user reported publicly an issue (c.f. Envoy Issue 7728) about regular expressions matching that crashes Envoy with very large URIs.
* CVE-2019-14993: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: JWT
, VirtualService
, HTTPAPISpecBinding
, QuotaSpecBinding
.
ISTIO-SECURITY-2019-004: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
* CVE-2019-9512: HTTP/2 flood using PING
frames and queuing of response PING
ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* CVE-2019-9513: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
* CVE-2019-9514: HTTP/2 flood using HEADERS
frames with invalid HTTP headers and queuing of response RST_STREAM
frames that results in unbounded memory growth (which can lead to out of memory conditions).
* CVE-2019-9515: HTTP/2 flood using SETTINGS
frames and queuing of SETTINGS
ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* CVE-2019-9518: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
Nothing else is included in this release except for the above security fixes.