ISTIO-SECURITY-2019-007

Security Bulletin

Detalhes da divulgação
CVE(s)CVE-2019-18801
CVE-2019-18802
Pontuação de impacto CVSS9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lançamentos afetados1.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1

Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabilities:

  • CVE-2019-18801: This vulnerability affects Envoy’s HTTP/1 codec in its way it processes downstream’s requests with large HTTP/2 headers. A successful exploitation of this vulnerability could lead to a denial of Service, escalation of privileges, or information disclosure.

  • CVE-2019-18802: HTTP/1 codec incorrectly fails to trim whitespace after header values. This could allow an attacker to bypass Istio’s policy either for information disclosure or escalation of privileges.

  • CVE-2019-18838: Upon receipt of a malformed HTTP request without the “Host” header, an encoder filter invoking Envoy’s route manager APIs that access request’s “Host” header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.

Impact and detection

Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream’s requests are HTTP/2 while upstream’s are HTTP/1, then your cluster is vulnerable. We expect this to be true of most clusters.

Mitigation

  • For Istio 1.2.x deployments: update to Istio 1.2.10 or later.
  • For Istio 1.3.x deployments: update to Istio 1.3.6 or later.
  • For Istio 1.4.x deployments: update to Istio 1.4.2 or later.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Esta informação foi útil?
Você tem alguma sugestão de melhoria?

Obrigado pelo seu feedback!