- ISTIO-SECURITY-2019-006 (#5481)

* - ISTIO-SECURITY-2019-006 * - address linting process * Apply suggestions from code review * Add spelling * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
2019-11-08 11:46:52 -08:00 · 2019-11-08 11:46:52 -08:00 · 2607a9bb51
parent 1d2c74a629
commit 2607a9bb51
2 changed files with 39 additions and 0 deletions
--- a/.spelling
+++ b/.spelling
@ -145,6 +145,7 @@ Customizable
 CVE
 CVE-2019-14993
 CVE-2019-15226
+CVE-2019-18817
 CVE-2019-9512
 CVE-2019-9513
 CVE-2019-9514
@ -275,6 +276,7 @@ istio-mixer
 ISTIO-SECURITY-2019-003
 ISTIO-SECURITY-2019-004
 ISTIO-SECURITY-2019-005
+ISTIO-SECURITY-2019-006
 istio-system
 istio.io
 istio.io.
--- a/content/en/news/2019/istio-security-2019-006/index.md
+++ b/content/en/news/2019/istio-security-2019-006/index.md
@ -0,0 +1,37 @@
+---
+title: Security Update - ISTIO-SECURITY-2019-006
+description: Security vulnerability disclosure for CVE-2019-18817.
+publishdate: 2019-11-07
+attribution: The Istio Team
+---
+
+__ISTIO-SECURITY-2019-006__: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:
+* __[CVE-2019-18817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817)__: An infinite loop can be triggered in Envoy if the option `continue_on_listener_filters_timeout` is set to `True`. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3
+A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoy’s CPU resources and causing a denial-of-service attack.
+
+## Affected Istio releases
+
+The following Istio releases are vulnerable:
+
+* 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4
+
+## Impact score
+
+Overall CVSS score: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C&version=3.1)
+
+## Vulnerability impact and detection
+
+Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.
+
+## Mitigation
+
+* Workaround:
+  The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in [installation options](/docs/reference/config/installation-options/#pilot-options) ), using Helm to override the following options:
+
+{{< text plain >}}
+--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
+{{< /text >}}
+
+* We are going to release a fixed version of Istio as soon as possible to address this vulnerability.
+
+We'd like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.