Security Bulletins
Disclosed security vulnerabilities and their mitigation.
| Disclosure | Date | Affected Releases | Impact Score | Related |
|---|---|---|---|---|
| ISTIO-SECURITY-2021-005 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 8.1 | HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules |
| ISTIO-SECURITY-2021-006 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 10 | An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration |
| ISTIO-SECURITY-2021-004 | April 15, 2021 | All releases 1.5 and later | N/A | Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic |
| ISTIO-SECURITY-2021-003 | April 15, 2021 | All releases prior to 1.8.5 1.9.0 to 1.9.2 | 7.5 | |
| ISTIO-SECURITY-2021-002 | April 7, 2021 | All releases 1.6 and later | N/A | Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports |
| ISTIO-SECURITY-2021-001 | March 1, 2021 | 1.9.0 | 8.2 | JWT authentication can be bypassed when AuthorizationPolicy is misused |
| ISTIO-SECURITY-2020-011 | November 21, 2020 | 1.8.0 | N/A | Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections |
| ISTIO-SECURITY-2020-010 | September 29, 2020 | 1.6 to 1.6.10 1.7 to 1.7.2 | 8.3 | |
| ISTIO-SECURITY-2020-009 | August 11, 2020 | 1.5 to 1.5.8 1.6 to 1.6.7 | 6.8 | Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services |
| ISTIO-SECURITY-2020-008 | July 9, 2020 | 1.5 to 1.5.7 1.6 to 1.6.4 All releases prior to 1.5 | 6.6 | Incorrect validation of wildcard DNS Subject Alternative Names |
| ISTIO-SECURITY-2020-007 | June 30, 2020 | 1.5 to 1.5.6 1.6 to 1.6.3 | 7.5 | Multiple denial of service vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-006 | June 11, 2020 | 1.4 to 1.4.9 1.5 to 1.5.4 1.6 to 1.6.1 | 7.5 | Denial of service in the HTTP2 library used by Envoy |
| ISTIO-SECURITY-2020-005 | May 12, 2020 | 1.4 to 1.4.8 1.5 to 1.5.3 | 7.5 | Denial of service affecting telemetry v2 |
| ISTIO-SECURITY-2020-004 | March 25, 2020 | 1.4 to 1.4.6 1.5 | 8.7 | Default Kiali security configuration allows full control of mesh |
| ISTIO-SECURITY-2020-003 | March 3, 2020 | 1.4 to 1.4.5 | 7.5 | Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-002 | February 11, 2020 | 1.3 to 1.3.6 | 7.4 | Mixer policy check bypass caused by improperly accepting certain request headers |
| ISTIO-SECURITY-2020-001 | February 11, 2020 | 1.3 to 1.3.7 1.4 to 1.4.3 | 9.0 | Authentication Policy bypass |
| ISTIO-SECURITY-2019-007 | December 10, 2019 | 1.2 to 1.2.9 1.3 to 1.3.5 1.4 to 1.4.1 | 9.0 | Heap overflow and improper input validation in Envoy |
| ISTIO-SECURITY-2019-006 | November 7, 2019 | 1.3 to 1.3.4 | 7.5 | Denial of service |
| ISTIO-SECURITY-2019-005 | October 8, 2019 | 1.1 to 1.1.15 1.2 to 1.2.6 1.3 to 1.3.1 | 7.5 | Denial of service caused by the presence of numerous HTTP headers in client requests |
| Istio 1.2.4 sidecar image vulnerability | September 10, 2019 | 1.2 to 1.2.4 | An erroneous 1.2.4 sidecar image was available due to a faulty release operation | |
| ISTIO-SECURITY-2019-003 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Denial of service in regular expression parsing |
| ISTIO-SECURITY-2019-004 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.5 | Multiple denial of service vulnerabilities related to HTTP2 support in Envoy |
| ISTIO-SECURITY-2019-002 | June 28, 2019 | 1.0 to 1.0.8 1.1 to 1.1.9 1.2 to 1.2.1 | 7.5 | Denial of service affecting JWT access token parsing |
| ISTIO-SECURITY-2019-001 | May 28, 2019 | 1.1 to 1.1.6 | 8.9 | Incorrect access control |