istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cherry pick feb 22 CVE announcement (#10958) 

* Feb 2022 CVE (#10955)

* [release-1.13] CVE Feb 22, 2022 announcement (#32)

* Latest release notes for 1.11, 1.12 and 1.13

* Write up documentation for istio cve

* Update content/en/news/security/istio-security-2022-003/index.md

Co-authored-by: craigbox <craigbox@google.com>

* bring language from GHSA to docs (#10957)

* Update index.md

* Update content/en/news/security/istio-security-2022-003/index.md

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>

Co-authored-by: craigbox <craigbox@google.com>
Co-authored-by: Frank Budinsky <frankb@ca.ibm.com>
This commit is contained in:
jacob-delgado 2022-02-22 19:37:56 -07:00 committed by GitHub
parent 6706c49177
commit 66b10ba7f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 141 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.spelling
View File

@ -273,6 +273,13 @@ CVE-2021-39155
CVE-2021-39156
CVE-2022-21679
CVE-2022-21701
CVE-2021-43824
CVE-2021-43825
CVE-2021-43826
CVE-2022-21654
CVE-2022-21655
CVE-2022-23606
CVE-2022-23635
CVEs
cves
cvss
@ -469,6 +476,7 @@ ISTIO-SECURITY-2021-007
ISTIO-SECURITY-2021-008
ISTIO-SECURITY-2022-001
ISTIO-SECURITY-2022-002
ISTIO-SECURITY-2022-003
istio-system
istio.io
istio.io.

6
content/en/docs/releases/supported-releases/index.md
View File

@ -76,9 +76,9 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
|----------------------------|--------------------------------------|
| 1.13.x | 1.13.0+ |
| 1.12.x | 1.12.2+ |
| 1.11.x | 1.11.1+ |
| 1.13.x | 1.13.1+ |
| 1.12.x | 1.12.4+ |
| 1.11.x | 1.11.7+ |
| 1.10.x | 1.10.4+ |
| 1.9.x | 1.9.9 |
| 1.8 and earlier | None |

19
content/en/news/releases/1.11.x/announcing-1.11.7/index.md Normal file
View File

@ -0,0 +1,19 @@
---
title: Announcing Istio 1.11.7
linktitle: 1.11.7
subtitle: Patch Release
description: Istio 1.11.7 patch release.
publishdate: 2022-02-22
release: 1.11.7
aliases:
- /news/announcing-1.11.7
---
This release fixes the security vulnerabilities described in our February 22nd post, [ISTIO-SECURITY-2022-003](/news/security/istio-security-2022-003). This release note describes whats different between Istio 1.11.6 and 1.11.7.
{{< relnote >}}
## Security update
- __[CVE-2022-23635](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-23635])__:
CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.

24
content/en/news/releases/1.12.x/announcing-1.12.4/index.md Normal file
View File

@ -0,0 +1,24 @@
---
title: Announcing Istio 1.12.4
linktitle: 1.12.4
subtitle: Patch Release
description: Istio 1.12.4 patch release.
publishdate: 2022-02-22
release: 1.12.4
aliases:
- /news/announcing-1.12.4
---
This release fixes the security vulnerabilities described in our February 22nd post, [ISTIO-SECURITY-2022-003](/news/security/istio-security-2022-003). This release note describes whats different between Istio 1.12.3 and 1.12.4.
{{< relnote >}}
## Security update
- __[CVE-2022-23635](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-23635])__:
CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.
# Changes
- **Fixed** an issue where service update does not trigger route update.
([Issue #37356](https://github.com/istio/istio/pull/37356))

27
content/en/news/releases/1.13.x/announcing-1.13.1/index.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Announcing Istio 1.13.1
linktitle: 1.13.1
subtitle: Patch Release
description: Istio 1.13.1 patch release.
publishdate: 2022-02-22
release: 1.13.1
aliases:
- /news/announcing-1.13.1
---
This release fixes the security vulnerabilities described in our February 22nd post, [ISTIO-SECURITY-2022-003](/news/security/istio-security-2022-003). This release note describes whats different between Istio 1.13.0 and 1.13.1.
{{< relnote >}}
## Security update
- __[CVE-2022-23635](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-23635])__:
CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.
# Changes
- **Fixed** `istioctl x describe svc` not evaluating port `appProtocol` properly.
([Issue #37159](https://github.com/istio/istio/issues/37159))
- **Fixed** an issue where service update does not trigger route update.
([Issue #37356](https://github.com/istio/istio/pull/37356))

60
content/en/news/security/istio-security-2022-003/index.md Normal file
View File

@ -0,0 +1,60 @@
---
title: ISTIO-SECURITY-2022-003
subtitle: Security Bulletin
description: Multiple CVEs related to istiod Denial of Service and Envoy.
cves: [CVE-2022-21701, CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, CVE-2022-21655, CVE-2022-23606]
cvss: "7.5"
vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["All releases prior to 1.11.0", "1.11.0 to 1.11.6", "1.12.0 to 1.12.3", "1.13.0"]
publishdate: 2022-02-22
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
## CVE
### CVE-2022-23635
- __[CVE-2022-23635](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-23635])__:
CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that
sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012,
but does not require any authentication from the attacker.
For simple installations, istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster topologies](/docs/setup/install/multicluster/primary-remote/), this port is exposed over the public internet.
### Envoy CVEs
At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however,
to be transparent.
- __[CVE-2021-43824](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-43824])__:
CVE-2021-43824 (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer dereference when using JWT filter `safe_regex` match.
- __[CVE-2021-43825](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-43825])__:
CVE-2021-43825 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
- __[CVE-2021-43826](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2021-43826])__:
CVE-2021-43826 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.
- __[CVE-2022-21654](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-21654])__:
CVE-2022-21654 (CVSS Score 7.3, High): Envoy 1.7.0 and later - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
- __[CVE-2022-21655](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-21655])__:
CVE-2022-21655 (CVSS Score 7.5, High): Envoy 1.21 and earlier - Incorrect handling of internal redirects to routes with a direct response entry.
The following CVE did not apply to Istio 1.11.6.
- __[CVE-2022-23606](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2022-23606])__:
CVE-2022-23606 (CVSS Score 4.4, Moderate): Envoy 1.20 and later - Stack exhaustion when a cluster is deleted via Cluster Discovery Service.
## Am I Impacted?
You are at most risk if you are running Istio in a multi-cluster environment, or if you have exposed your istiod externally.
## Credit
We would like to thank John Howard (Google) for the report and the fix.