Announcing Istio 1.4.7
This release contains fixes for the security vulnerabilities described in our March 25th, 2020 news post. This release note describes what’s different between Istio 1.4.6 and Istio 1.4.7.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- ISTIO-SECURITY-2020-004 Istio uses a hard coded
CVE-2020-1764: Istio uses a default
signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release.
- Fixed an issue causing protocol detection to break HTTP2 traffic to gateways (Issue 21230).