istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Big cleanup of security bulletins. (#5761) 

- Security bulletins now have a cleaner style, with a common table
at the top capturing common info.

- Generate a custom table when showing the list of bulletins.
This commit is contained in:
Martin Taillefer 2019-11-18 07:19:36 -08:00 committed by GitHub
parent a8283f95d2
commit b5ddc1fa56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 284 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.spelling
View File

@ -321,6 +321,7 @@ linter
linters
liveness
loopback
Lua
Lyft
macOS
Mandar

7
content/en/boilerplates/security-vulnerability.md Normal file
View File

@ -0,0 +1,7 @@
---
---
## Reporting vulnerabilities
Wed like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a
security vulnerability.

4
content/en/news/releases/1.1.x/announcing-1.1.13/index.md
View File

@ -18,7 +18,8 @@ We're pleased to announce the availability of Istio 1.1.13. Please see below for
## Security update
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/). Specifically:
This release contains fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/) and
[ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-004/). Specifically:
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs.
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.
@ -29,6 +30,5 @@ __ISTIO-SECURITY-2019-004__: Envoy, and subsequently Istio are vulnerable to a s
* __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: HTTP/2 flood using `HEADERS` frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: HTTP/2 flood using `SETTINGS` frames and queuing of `SETTINGS` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
* See [this security bulletin](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md) for more information
Nothing else is included in this release except for the above security fixes.

3
content/en/news/releases/1.1.x/announcing-1.1.14/index.md
View File

@ -18,7 +18,8 @@ We're pleased to announce the availability of Istio 1.1.14. Please see below for
## Security update
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 blog post](/news/security/istio-security-2019-003-004/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
Following the previous fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/)
and [ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-004/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
You can find the gRPC vulnerability fix description on their mailing list (c.f.
[HTTP/2 Security Vulnerabilities](https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4)).

4
content/en/news/releases/1.2.x/announcing-1.2.4/index.md
View File

@ -18,7 +18,8 @@ We're pleased to announce the availability of Istio 1.2.4. Please see below for
## Security update
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/). Specifically:
This release contains fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/)]
[ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-004/). Specifically:
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs.
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.
@ -29,6 +30,5 @@ __ISTIO-SECURITY-2019-004__: Envoy, and subsequently Istio are vulnerable to a s
* __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: HTTP/2 flood using `HEADERS` frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: HTTP/2 flood using `SETTINGS` frames and queuing of `SETTINGS` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
* See [this security bulletin](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md) for more information
Nothing else is included in this release except for the above security fixes.

4
content/en/news/releases/1.2.x/announcing-1.2.5/index.md
View File

@ -18,7 +18,9 @@ We're pleased to announce the availability of Istio 1.2.5. Please see below for
## Security update
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
Following the previous fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/)
and [ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-004), we are now addressing the internal control plane communication surface.
These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
You can find the gRPC vulnerability fix description on their mailing list (c.f.
[HTTP/2 Security Vulnerabilities](https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4)).

1
content/en/news/security/_index.md
View File

@ -3,4 +3,5 @@ title: Security Bulletins
description: Disclosed security vulnerabilities and their mitigation.
weight: 7
list_by_publishdate: true
layout: security-grid
---

4
content/en/news/security/incorrect-sidecar-image-1.2.4/index.md
View File

@ -9,7 +9,9 @@ aliases:
---
To the Istios user community,
For the period between Aug 23rd 2019 09:16PM PST and Sep 6th 2019 09:26AM PST a Docker image shipped as Istio `proxyv2` 1.2.4 (c.f. [https://hub.docker.com/r/istio/proxyv2](https://hub.docker.com/r/istio/proxyv2) ) contained a faulty version of the proxy against the security bugs [ISTIO-SECURITY-2019-003 and ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-003-004/).
For the period between Aug 23rd 2019 09:16PM PST and Sep 6th 2019 09:26AM PST a Docker image shipped as Istio `proxyv2` 1.2.4 (c.f. [https://hub.docker.com/r/istio/proxyv2](https://hub.docker.com/r/istio/proxyv2) )
contained a faulty version of the proxy against the vulnerabilities [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/) and
[ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-004/).
If you have installed Istio 1.2.4 during that time, please consider upgrading to Istio 1.2.5 that also contains additional security fixes.

32
content/en/news/security/istio-security-2019-001/index.md
View File

@ -2,13 +2,23 @@
title: ISTIO-SECURITY-2019-001
subtitle: Security Bulletin
description: Security vulnerability disclosure for CVE-2019-12243.
cve: [CVE-2019-12243]
publishdate: 2019-05-28
keywords: [CVE]
skip_seealso: true
aliases:
- /blog/2019/cve-2019-12243
- /news/2019/cve-2019-12243
---
| Information |  
|-------------------|--------
| CVE | [CVE 2019-12243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12243)
| CVSS Impact Score | 8.9 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C)
| Affected Releases | 1.1 to 1.1.6
## Context
During review of the [Istio 1.1.7](/news/releases/1.1.x/announcing-1.1.7) release notes, we realized that [issue 13868](https://github.com/istio/istio/issues/13868),
which is fixed in the release, actually represents a security vulnerability.
@ -19,21 +29,9 @@ as alpha stability, which would not have required invoking this security advisor
We are revisiting our processes to flag vulnerabilities that are initially reported as bugs instead of through the
[private disclosure process](/about/security-vulnerabilities/).
We tracked the bug to a code change introduced in Istio 1.1 and affecting all versions up to 1.1.6.
We tracked the bug to a code change introduced in Istio 1.1 and affecting all releases up to 1.1.6.
This vulnerability is referred to as [CVE 2019-12243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12243)
## Affected Istio releases
The following Istio releases are vulnerable:
* 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6
## Impact score
Overall CVSS score: 8.9 [AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C)
## Vulnerability impact and detection
## Impact and detection
Since Istio 1.1, In the default Istio installation profile, policy enforcement is disabled by default.
@ -55,9 +53,11 @@ You are impacted by the vulnerability issue if the following conditions are all
## Mitigation
* Users of Istio 1.0.x are not affected
* For Istio 1.1.x deployments: update to a minimum version of [Istio 1.1.7](/news/releases/1.1.x/announcing-1.1.7)
* Users of Istio 1.0.x are not affected.
* For Istio 1.1.x deployments: update to [Istio 1.1.7](/news/releases/1.1.x/announcing-1.1.7) or later.
## Credit
The Istio team would like to thank `Haim Helman` for the original bug report.
{{< boilerplate "security-vulnerability" >}}

46
content/en/news/security/istio-security-2019-002/index.md
View File

@ -2,13 +2,23 @@
title: ISTIO-SECURITY-2019-002
subtitle: Security Bulletin
description: Security vulnerability disclosure for CVE-2019-12995.
cve: [CVE-2019-12995]
publishdate: 2019-06-28
keywords: [CVE]
skip_seealso: true
aliases:
- /blog/2019/cve-2019-12995
- /news/2019/cve-2019-12995
---
| Information | &nbsp;
|-------------------|--------
| CVE | [CVE 2019-12995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12995)
| CVSS Impact Score | 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C)
| Affected Releases | 1.0 to 1.0.8<br>1.1 to 1.1.9<br>1.2 to 1.2.1
## Context
A bug in Istios JWT validation filter causes Envoy to crash in certain cases when the request contains a malformed JWT token. The bug was discovered and reported by a user [on GitHub](https://github.com/istio/istio/issues/15084) on June 23, 2019.
This bug affects all versions of Istio that are using the JWT authentication policy.
@ -23,21 +33,7 @@ in the Envoy logs.
The Envoy crash can be triggered using a malformed JWT without a valid signature, and on any URI being accessed regardless of the `trigger_rules` in the JWT specification. Thus, this bug makes Envoy vulnerable to a potential DoS attack.
This vulnerability is referred to as [CVE 2019-12995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12995)
## Affected Istio releases
The following Istio releases are vulnerable:
* 1.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8
* 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9
* 1.2, 1.2.1
## Impact score
Overall CVSS score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C)
## Vulnerability impact and detection
## Impact and detection
Envoy is vulnerable if the following two conditions are satisfied:
@ -83,20 +79,22 @@ echo "${green}Did NOT find JWT in authentication policy, YOU ARE NOT AFFECTED${r
EOF
{{< /text >}}
## Mitigations
## Mitigation
This bug is fixed in the following versions of Istio:
This bug is fixed in the following Istio releases:
* For Istio 1.0.x deployments: update to a minimum version of Istio 1.0.9
* For Istio 1.1.x deployments: update to a minimum version of Istio 1.1.10
* For Istio 1.2.x deployments: update to a minimum version of Istio 1.2.2
* For Istio 1.0.x deployments: update to [Istio 1.0.9](/news/releases/1.0.x/announcing-1.0.9) or later.
* For Istio 1.1.x deployments: update to [Istio 1.1.10](/news/releases/1.1.x/announcing-1.1.10) or later.
* For Istio 1.2.x deployments: update to [Istio 1.2.2](/news/releases/1.2.x/announcing-1.2.2) or later.
If you cannot immediately upgrade to one of these releases, you have the additional option of injecting a [`Lua` filter](https://github.com/istio/tools/tree/master/examples/luacheck) into older versions of Istio. This filter has been verified to work with Istio versions 1.1.9, 1.0.8, 1.0.6, and 1.1.3.
If you cannot immediately upgrade to one of these releases, you have the additional option of injecting a
[Lua filter](https://github.com/istio/tools/tree/master/examples/luacheck) into older releases of Istio.
This filter has been verified to work with Istio 1.1.9, 1.0.8, 1.0.6, and 1.1.3.
The `Lua` filter is injected *before* the Istio `jwt-auth` filter.
The Lua filter is injected *before* the Istio `jwt-auth` filter.
If a JWT token is presented on an http request, the `Lua` filter will check if the JWT token header contains alg:ES256. If the filter finds such a JWT token, the request is rejected.
To install the `Lua` filter, please invoke the following commands:
To install the Lua filter, please invoke the following commands:
{{< text bash >}}
$ git clone git@github.com:istio/tools.git
@ -110,4 +108,4 @@ The setup script uses helm template to produce an `envoyFilter` resource that de
The Istio team would like to thank Divya Raj for the original bug report.
Wed like to remind our community to follow the vulnerability reporting process described at [https://istio.io/about/security-vulnerabilities/](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability
{{< boilerplate "security-vulnerability" >}}

105
content/en/news/security/istio-security-2019-003-004/index.md
View File

@ -1,105 +0,0 @@
---
title: ISTIO-SECURITY-2019-003 and ISTIO-SECURITY-2019-004
subtitle: Security Bulletin
description: Security vulnerability disclosure for multiple CVEs.
publishdate: 2019-08-13
keywords: [CVE]
aliases:
- /blog/2019/istio-security-003-004
- /news/2019/istio-security-003-004
---
Today we are releasing two new versions of Istio. Istio [1.1.13](/news/releases/1.1.x/announcing-1.1.13/) and [1.2.4](/news/releases/1.2.x/announcing-1.2.4/) address vulnerabilities that can be used to mount a Denial of Service (DoS) attack against services using Istio.
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions (or regex) matching that crashes Envoy with very large URIs.
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.
__ISTIO-SECURITY-2019-004__: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
* __[CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512)__: HTTP/2 flood using `PING` frames and queuing of response `PING` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)__: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
* __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: HTTP/2 flood using `HEADERS` frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: HTTP/2 flood using SETTINGS frames and queuing of `SETTINGS` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
* See [this security bulletin](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md) for more information
Those HTTP/2-based vulnerabilities were reported externally and affect multiple proxy implementations.
## Affected Istio releases
The following Istio releases are vulnerable:
* 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12
* 1.2, 1.2.1, 1.2.2, 1.2.3
All versions prior to 1.1 are no longer supported and are considered vulnerable.
## Impact score
* Overall CVSS score for __ISTIO-SECURITY-2019-003__: 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
* Overall CVSS score for __ISTIO-SECURITY-2019-004__: 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
## Vulnerability impact and detection
__ISTIO-SECURITY-2019-003__: To detect if there is any regular expressions used in Istio APIs in your cluster, run the following command which prints either of the following output:
* YOU ARE AFFECTED: found regex used in `AuthenticationPolicy` or `VirtualService`
* YOU ARE NOT AFFECTED: did not find regex usage
{{< text bash >}}
$ cat <<'EOF' | bash -
set -e
set -u
set -o pipefail
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`
echo "Checking regex usage in Istio API ..."
AFFECTED=()
JWT_REGEX=()
JWT_REGEX+=($(kubectl get Policy --all-namespaces -o jsonpath='{..regex}'))
JWT_REGEX+=($(kubectl get MeshPolicy --all-namespaces -o jsonpath='{..regex}'))
if [ "${#JWT_REGEX[@]}" != 0 ]; then
AFFECTED+=("AuthenticationPolicy")
fi
VS_REGEX=()
VS_REGEX+=($(kubectl get VirtualService --all-namespaces -o jsonpath='{..regex}'))
if [ "${#VS_REGEX[@]}" != 0 ]; then
AFFECTED+=("VirtualService")
fi
HTTPAPI_REGEX=()
HTTPAPI_REGEX+=($(kubectl get HTTPAPISpec --all-namespaces -o jsonpath='{..regex}'))
if [ "${#HTTPAPI_REGEX[@]}" != 0 ]; then
AFFECTED+=("HTTPAPISpec")
fi
QUOTA_REGEX=()
QUOTA_REGEX+=($(kubectl get QuotaSpec --all-namespaces -o jsonpath='{..regex}'))
if [ "${#QUOTA_REGEX[@]}" != 0 ]; then
AFFECTED+=("QuotaSpec")
fi
if [ "${#AFFECTED[@]}" != 0 ]; then
echo "${red}YOU ARE AFFECTED: found regex used in ${AFFECTED[@]}${reset}"
exit 1
fi
echo "${green}YOU ARE NOT AFFECTED: did not find regex usage${reset}"
EOF
{{< /text >}}
__ISTIO-SECURITY-2019-004__: If Istio terminates externally originated HTTP then it is vulnerable. If Istio is instead fronted by an intermediary that terminates HTTP (e.g., a HTTP load balancer), then that intermediary would protect Istio, assuming the intermediary is not itself vulnerable to the same HTTP/2 exploits.
## Mitigations
For both vulnerabilities:
* For Istio 1.1.x deployments: update to a minimum version of Istio 1.1.13
* For Istio 1.2.x deployments: update to a minimum version of Istio 1.2.4
Wed like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.

85
content/en/news/security/istio-security-2019-003/index.md Normal file
View File

@ -0,0 +1,85 @@
---
title: ISTIO-SECURITY-2019-003
subtitle: Security Bulletin
description: Security vulnerability disclosure for CVE-2019-14993.
cve: [CVE-2019-14993]
publishdate: 2019-08-13
keywords: [CVE]
skip_seealso: true
aliases:
- /blog/2019/istio-security-003-004
- /news/2019/istio-security-003-004
---
| Information | &nbsp;
|-------------------|--------
| CVE | [CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)
| CVSS Impact Score | 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
| Affected Releases | 1.1 to 1.1.12<br>1.2 to 1.2.3
## Context
An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions (or regex) matching
that crashes Envoy with very large URIs. After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.
## Impact and detection
To detect if there is any regular expressions used in Istio APIs in your cluster, run the following command which prints either of the following output:
* YOU ARE AFFECTED: found regex used in `AuthenticationPolicy` or `VirtualService`
* YOU ARE NOT AFFECTED: did not find regex usage
{{< text bash >}}
$ cat <<'EOF' | bash -
set -e
set -u
set -o pipefail
red=`tput setaf 1`
green=`tput setaf 2`
reset=`tput sgr0`
echo "Checking regex usage in Istio API ..."
AFFECTED=()
JWT_REGEX=()
JWT_REGEX+=($(kubectl get Policy --all-namespaces -o jsonpath='{..regex}'))
JWT_REGEX+=($(kubectl get MeshPolicy --all-namespaces -o jsonpath='{..regex}'))
if [ "${#JWT_REGEX[@]}" != 0 ]; then
AFFECTED+=("AuthenticationPolicy")
fi
VS_REGEX=()
VS_REGEX+=($(kubectl get VirtualService --all-namespaces -o jsonpath='{..regex}'))
if [ "${#VS_REGEX[@]}" != 0 ]; then
AFFECTED+=("VirtualService")
fi
HTTPAPI_REGEX=()
HTTPAPI_REGEX+=($(kubectl get HTTPAPISpec --all-namespaces -o jsonpath='{..regex}'))
if [ "${#HTTPAPI_REGEX[@]}" != 0 ]; then
AFFECTED+=("HTTPAPISpec")
fi
QUOTA_REGEX=()
QUOTA_REGEX+=($(kubectl get QuotaSpec --all-namespaces -o jsonpath='{..regex}'))
if [ "${#QUOTA_REGEX[@]}" != 0 ]; then
AFFECTED+=("QuotaSpec")
fi
if [ "${#AFFECTED[@]}" != 0 ]; then
echo "${red}YOU ARE AFFECTED: found regex used in ${AFFECTED[@]}${reset}"
exit 1
fi
echo "${green}YOU ARE NOT AFFECTED: did not find regex usage${reset}"
EOF
{{< /text >}}
## Mitigation
* For Istio 1.1.x deployments: update to [Istio 1.1.13](/news/releases/1.1.x/announcing-1.1.13) or later
* For Istio 1.2.x deployments: update to [Istio 1.2.4](/news/releases/1.2.x/announcing-1.2.4) or later.
{{< boilerplate "security-vulnerability" >}}

39
content/en/news/security/istio-security-2019-004/index.md Normal file
View File

@ -0,0 +1,39 @@
---
title: ISTIO-SECURITY-2019-004
subtitle: Security Bulletin
description: Security vulnerability disclosure for multiple CVEs.
cve: [CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518]
publishdate: 2019-08-13
keywords: [CVE]
skip_seealso: true
---
| Information | &nbsp;
|-------------------|--------
| CVE | [CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513), [CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), [CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515), [CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)
| CVSS Impact Score | 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
| Affected Releases | 1.1 to 1.1.12<br>1.2 to 1.2.3
## Context
Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
* HTTP/2 flood using PING frames and queuing of response PING ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
* HTTP/2 flood using HEADERS frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions).
* HTTP/2 flood using SETTINGS frames and queuing of SETTINGS ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
* HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
Those vulnerabilities were reported externally and affect multiple proxy implementations.
See [this security bulletin](https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md) for more information.
## Impact and detection
If Istio terminates externally originated HTTP then it is vulnerable. If Istio is instead fronted by an intermediary that terminates HTTP (e.g., a HTTP load balancer), then that intermediary would protect Istio, assuming the intermediary is not itself vulnerable to the same HTTP/2 exploits.
## Mitigation
* For Istio 1.1.x deployments: update to a [Istio 1.1.13](/news/releases/1.1.x/announcing-1.1.13) or later.
* For Istio 1.2.x deployments: update to a [Istio 1.2.4](/news/releases/1.2.x/announcing-1.2.4) or later.
{{< boilerplate "security-vulnerability" >}}

37
content/en/news/security/istio-security-2019-005/index.md
View File

@ -2,39 +2,32 @@
title: ISTIO-SECURITY-2019-005
subtitle: Security Bulletin
description: Security vulnerability disclosure for CVE-2019-15226.
cve: [CVE-2019-15226]
publishdate: 2019-10-08
keywords: [CVE]
skip_seealso: true
aliases:
- /news/2019/istio-security-2019-005
---
Today we are releasing three new Istio versions: 1.1.16, 1.2.7, and 1.3.2. These new Istio versions address vulnerabilities that can be used to mount Denial of Service (DoS) attacks against services using Istio.
| Information | &nbsp;
|-------------------|--------
| CVE | [CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)
| CVSS Impact Score | 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
| Affected Releases | 1.1 to 1.1.15<br>1.2 to 1.2.6<br>1.3 to 1.3.1
__ISTIO-SECURITY-2019-005__: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:
* __[CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)__: Upon receiving each incoming request, Envoy will iterate over the request headers to verify that the total size of the headers stays below a maximum limit. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
## Context
## Affected Istio releases
Envoy, and subsequently Istio, are vulnerable to the following DoS attack. Upon receiving each incoming request, Envoy will iterate over the request headers to verify that the total size of the headers stays below a maximum limit. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
The following Istio releases are vulnerable:
## Impact and detection
* 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15
* 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6
* 1.3, 1.3.1
## Impact score
Overall CVSS score: 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
## Vulnerability impact and detection
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.
## Mitigation
* For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.1.16](/news/releases/1.1.x/announcing-1.1.16).
* For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.2.7](/news/releases/1.2.x/announcing-1.2.7).
* For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to a minimum version of [Istio 1.3.2](/news/releases/1.3.x/announcing-1.3.2).
We'd like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.
* For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to [Istio 1.1.16](/news/releases/1.1.x/announcing-1.1.16) or later.
* For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to [Istio 1.2.7](/news/releases/1.2.x/announcing-1.2.7) or later.
* For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/cni-helm-upgrade/#sidecar-upgrade) to [Istio 1.3.2](/news/releases/1.3.x/announcing-1.3.2) or later.
{{< boilerplate "security-vulnerability" >}}

41
content/en/news/security/istio-security-2019-006/index.md
View File

@ -2,39 +2,38 @@
title: ISTIO-SECURITY-2019-006
subtitle: Security Bulletin
description: Security vulnerability disclosure for CVE-2019-18817.
cve: [CVE-2019-18817]
publishdate: 2019-11-07
keywords: [CVE]
skip_seealso: true
aliases:
- /news/2019/istio-security-2019-006
---
__ISTIO-SECURITY-2019-006__: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:
* __[CVE-2019-18817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817)__: An infinite loop can be triggered in Envoy if the option `continue_on_listener_filters_timeout` is set to `True`. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3
| Information | &nbsp;
|-------------------|--------
| CVE | [CVE-2019-18817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817)
| CVSS Impact Score | 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C&version=3.1)
| Affected Releases | 1.3 to 1.3.4
## Context
Envoy, and subsequently Istio, are vulnerable to the following DoS attack.
An infinite loop can be triggered in Envoy if the option `continue_on_listener_filters_timeout` is set to `True`. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3
A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoys CPU resources and causing a denial-of-service attack.
## Affected Istio releases
## Impact and detection
The following Istio releases are vulnerable:
* 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4
## Impact score
Overall CVSS score: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C&version=3.1)
## Vulnerability impact and detection
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases, your cluster is vulnerable.
## Mitigation
* Workaround:
The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in [installation options](/docs/reference/config/installation-options/#pilot-options) ), using Helm to override the following options:
* Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in [installation options](/docs/reference/config/installation-options/#pilot-options) ), using Helm to override the following options:
{{< text plain >}}
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
{{< /text >}}
{{< text plain >}}
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
{{< /text >}}
* We are going to release a fixed version of Istio as soon as possible to address this vulnerability.
* For Istio 1.3.x deployments: update to [Istio 1.3.5](/news/releases/1.3.x/announcing-1.3.5) or later.
We'd like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.
{{< boilerplate "security-vulnerability" >}}

2
content/zh/news/2019/announcing-1.1.13/index.md
View File

@ -16,7 +16,7 @@ We're pleased to announce the availability of Istio 1.1.13. Please see below for
## Security update
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/). Specifically:
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003/). Specifically:
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs.
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.

2
content/zh/news/2019/announcing-1.1.14/index.md
View File

@ -16,7 +16,7 @@ We're pleased to announce the availability of Istio 1.1.14. Please see below for
## Security update
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 blog post](/news/security/istio-security-2019-003-004/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 blog post](/news/security/istio-security-2019-003/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
You can find the gRPC vulnerability fix description on their mailing list (c.f.
[HTTP/2 Security Vulnerabilities](https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4)).

2
content/zh/news/2019/announcing-1.2.4/index.md
View File

@ -16,7 +16,7 @@ We're pleased to announce the availability of Istio 1.2.4. Please see below for
## Security update
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/). Specifically:
This release contains fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003/). Specifically:
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs.
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.

2
content/zh/news/2019/announcing-1.2.5/index.md
View File

@ -16,7 +16,7 @@ We're pleased to announce the availability of Istio 1.2.5. Please see below for
## Security update
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003-004/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
Following the previous fixes for the security vulnerabilities described in [our August 13th, 2019 news post](/news/security/istio-security-2019-003/), we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.
You can find the gRPC vulnerability fix description on their mailing list (c.f.
[HTTP/2 Security Vulnerabilities](https://groups.google.com/forum/#!topic/grpc-io/w5jPamxdda4)).

2
content/zh/news/2019/incorrect-sidecar-image-1.2.4/index.md
View File

@ -9,7 +9,7 @@ aliases:
---
To the Istios user community,
For the period between Aug 23rd 2019 09:16PM PST and Sep 6th 2019 09:26AM PST a Docker image shipped as Istio `proxyv2` 1.2.4 (c.f. [https://hub.docker.com/r/istio/proxyv2](https://hub.docker.com/r/istio/proxyv2) ) contained a faulty version of the proxy against the security bugs [ISTIO-SECURITY-2019-003 and ISTIO-SECURITY-2019-004](/news/security/istio-security-2019-003-004/).
For the period between Aug 23rd 2019 09:16PM PST and Sep 6th 2019 09:26AM PST a Docker image shipped as Istio `proxyv2` 1.2.4 (c.f. [https://hub.docker.com/r/istio/proxyv2](https://hub.docker.com/r/istio/proxyv2) ) contained a faulty version of the proxy against the security bugs [ISTIO-SECURITY-2019-003](/news/security/istio-security-2019-003/).
If you have installed Istio 1.2.4 during that time, please consider upgrading to Istio 1.2.5 that also contains additional security fixes.

9
i18n/en.toml
View File

@ -234,3 +234,12 @@ other = "Level"
[target_release]
other = "This blog post was written assuming Istio %v, so some of this content may now be outdated."
[security_disclosure]
other = "Disclosure"
[security_related]
other = "Related"
[security_date]
other = "Date"

52
layouts/_default/security-grid.html Normal file
View File

@ -0,0 +1,52 @@
{{ define "main" }}
{{ .Scratch.Set "skipSeeAlso" true }}
{{ partial "primary_top.html" . }}
<p>{{ .Description }}</p>
<div class="security-grid">
{{ $pages := (where .Site.Pages "Section" .Section) }}
{{ $pages = sort $pages ".Params.publishdate" "desc" }}
{{ $parent := .Page }}
{{ $parentDir := (path.Dir .Page.File.Dir) }}
<table>
<thead>
<tr>
<th>{{ i18n "security_disclosure" }}</th>
<th>{{ i18n "security_related" }}</th>
<th>{{ i18n "security_date" }}</th>
</tr>
</thead>
<tbody>
{{ range $pages }}
{{ $pageLocation := (path.Dir (path.Dir .File.Dir)) }}
{{ if eq $parentDir $pageLocation }}
<tr>
<td><a href="{{ .Permalink }}">{{ .LinkTitle }}</a></td>
{{ if .Params.cve }}
<td>
{{ $first := true }}
{{ range $cve := .Params.cve }}
{{- if not $first -}}, {{ end -}}
<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name={{ $cve }}">{{ $cve}}<a>
{{- $first = false -}}
{{ end }}
</td>
{{ else }}
<td>{{ trim .Description "." -}}</td>
{{ end }}
<td>{{ .PublishDate.Format (i18n "page_publish_date_format") -}}</td>
</tr>
{{ end }}
{{ end }}
</tbody>
</table>
</div>
{{ partial "primary_bottom.html" . }}
{{ end }}