Announcing Istio 1.4.7

Patch Release

This release contains fixes for the security vulnerabilities described in our March 25th, 2020 news post. This release note describes what’s different between Istio 1.4.6 and Istio 1.4.7.

Security Update

  • ISTIO-SECURITY-2020-004 Istio uses a hard coded signing_key for Kiali.

CVE-2020-1764: Istio uses a default signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio. In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release.

Changes

  • Fixed an issue causing protocol detection to break HTTP2 traffic to gateways (Issue 21230).
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!