Security Bulletins
Disclosed security vulnerabilities and their mitigation.
| Disclosure | Date | Affected Releases | Impact Score | Related |
|---|---|---|---|---|
| ISTIO-SECURITY-2021-0051 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 8.12 | HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules |
| ISTIO-SECURITY-2021-0063 | May 11, 2021 | All releases prior to 1.8.6 1.9.0 to 1.9.4 | 104 | An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration |
| ISTIO-SECURITY-2021-0045 | April 15, 2021 | All releases 1.5 and later | N/A6 | Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic |
| ISTIO-SECURITY-2021-0037 | April 15, 2021 | All releases prior to 1.8.5 1.9.0 to 1.9.2 | 7.58 | |
| ISTIO-SECURITY-2021-0029 | April 7, 2021 | All releases 1.6 and later | N/A6 | Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports |
| ISTIO-SECURITY-2021-00110 | March 1, 2021 | 1.9.0 | 8.211 | JWT authentication can be bypassed when AuthorizationPolicy is misused |
| ISTIO-SECURITY-2020-01112 | November 21, 2020 | 1.8.0 | N/A6 | Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections |
| ISTIO-SECURITY-2020-01013 | September 29, 2020 | 1.6 to 1.6.10 1.7 to 1.7.2 | 8.314 | |
| ISTIO-SECURITY-2020-00915 | August 11, 2020 | 1.5 to 1.5.8 1.6 to 1.6.7 | 6.816 | Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services |
| ISTIO-SECURITY-2020-00817 | July 9, 2020 | 1.5 to 1.5.7 1.6 to 1.6.4 All releases prior to 1.5 | 6.618 | Incorrect validation of wildcard DNS Subject Alternative Names |
| ISTIO-SECURITY-2020-00719 | June 30, 2020 | 1.5 to 1.5.6 1.6 to 1.6.3 | 7.58 | Multiple denial of service vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-00620 | June 11, 2020 | 1.4 to 1.4.9 1.5 to 1.5.4 1.6 to 1.6.1 | 7.58 | Denial of service in the HTTP2 library used by Envoy |
| ISTIO-SECURITY-2020-00521 | May 12, 2020 | 1.4 to 1.4.8 1.5 to 1.5.3 | 7.58 | Denial of service affecting telemetry v2 |
| ISTIO-SECURITY-2020-00422 | March 25, 2020 | 1.4 to 1.4.6 1.5 | 8.723 | Default Kiali security configuration allows full control of mesh |
| ISTIO-SECURITY-2020-00324 | March 3, 2020 | 1.4 to 1.4.5 | 7.56 | Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy |
| ISTIO-SECURITY-2020-00225 | February 11, 2020 | 1.3 to 1.3.6 | 7.426 | Mixer policy check bypass caused by improperly accepting certain request headers |
| ISTIO-SECURITY-2020-00127 | February 11, 2020 | 1.3 to 1.3.7 1.4 to 1.4.3 | 9.028 | Authentication Policy bypass |
| ISTIO-SECURITY-2019-00729 | December 10, 2019 | 1.2 to 1.2.9 1.3 to 1.3.5 1.4 to 1.4.1 | 9.030 | Heap overflow and improper input validation in Envoy |
| ISTIO-SECURITY-2019-00631 | November 7, 2019 | 1.3 to 1.3.4 | 7.532 | Denial of service |
| ISTIO-SECURITY-2019-00533 | October 8, 2019 | 1.1 to 1.1.15 1.2 to 1.2.6 1.3 to 1.3.1 | 7.534 | Denial of service caused by the presence of numerous HTTP headers in client requests |
| Istio 1.2.4 sidecar image vulnerability35 | September 10, 2019 | 1.2 to 1.2.4 | An erroneous 1.2.4 sidecar image was available due to a faulty release operation | |
| ISTIO-SECURITY-2019-00336 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.534 | Denial of service in regular expression parsing |
| ISTIO-SECURITY-2019-00437 | August 13, 2019 | 1.1 to 1.1.12 1.2 to 1.2.3 | 7.534 | Multiple denial of service vulnerabilities related to HTTP2 support in Envoy |
| ISTIO-SECURITY-2019-00238 | June 28, 2019 | 1.0 to 1.0.8 1.1 to 1.1.9 1.2 to 1.2.1 | 7.539 | Denial of service affecting JWT access token parsing |
| ISTIO-SECURITY-2019-00140 | May 28, 2019 | 1.1 to 1.1.6 | 8.941 | Incorrect access control |