From 3aba355dc338184ae86b65ca8ed8777e37739782 Mon Sep 17 00:00:00 2001 From: Francois Pesce Date: Mon, 15 Jun 2020 17:22:47 -0700 Subject: [PATCH] Cherrypick 1.5.5 release note (#7569) * Update content/en/news/security/istio-security-2020-006/index.md * Cherrypick 1.5.5 additional release note changes --- .../security/istio-security-2020-006/index.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/content/en/news/security/istio-security-2020-006/index.md b/content/en/news/security/istio-security-2020-006/index.md index 0d8ba0d21a..2856923910 100644 --- a/content/en/news/security/istio-security-2020-006/index.md +++ b/content/en/news/security/istio-security-2020-006/index.md @@ -22,6 +22,35 @@ By sending a specially crafted packet, an attacker could cause the CPU to spike ## Mitigation +HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress): + +{{< text yaml >}} + +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: disable-ingress-h2 + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.http_connection_manager" + patch: + operation: MERGE + value: + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager + codec_type: HTTP1 +{{< /text >}} + * For Istio 1.5.x deployments: update to [Istio 1.5.5](/news/releases/1.5.x/announcing-1.5.5) or later. * For Istio 1.6.x deployments: update to [Istio 1.6.2](/news/releases/1.6.x/announcing-1.6.2) or later.