Announcing Istio 1.8.6
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (
%5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the ISTIO-SECURITY-2021-005 bulletin for more details.
- CVSS Score: 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy’s authorization mechanisms.
- CVSS Score: 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with
AUTO_PASSTHROUGHrouting configuration. See the ISTIO-SECURITY-2021-006 bulletin for more details.
- CVSS Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fixed istiod so it will no longer generate listeners for privileged gateway ports (<1024) if the gateway Pod does not have sufficient permissions. Issue 27566
Fixed an issue where transport socket parameters are now taken into account when configured in
EnvoyFilter. Issue 28996
PeerAuthenticationto not turn off mTLS while using multi-network, non-mTLS endpoints from the cross-network load-balancing endpoints to prevent 500 errors. Issue 28798
Fixed a bug causing runaway logs in istiod after disabling the default ingress controller. Issue 31336
Fixed the Kubernetes API server so it is now considered to be cluster-local by default . This means that any pod attempting to reach
kubernetes.default.svcwill always be directed to the in-cluster server. Issue 31340
Fixed Istio operator to prune resources that do not belong to the specific Istio operator CR. Issue 30833