istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.8/about/security-vulnerabilities/index.html

41 lines
21 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Security Vulnerabilities"><meta name=description content="How we handle security vulnerabilities."><meta name=keywords content="microservices,services,mesh"><meta property="og:title" content="Security Vulnerabilities"><meta property="og:type" content="website"><meta property="og:description" content="How we handle security vulnerabilities."><meta property="og:url" content="/v1.8/about/security-vulnerabilities/"><meta property="og:image" content="/v1.8/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.8 / Security Vulnerabilities</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.8/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.8/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.8/feed.xml><link rel="shortcut icon" href=/v1.8/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.8/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.8/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.8/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.8/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.8/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.8/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.8/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.8/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.8/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.8/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.8/css/all.css><script src=/v1.8/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.8";const docTitle="Security Vulnerabilities";const iconFile="\/v1.8/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.8/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.8/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.8</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.8/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.8/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.8/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.8/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.8/faq/>FAQ</a>
<a class=current title="Get a bit more in-depth info about the Istio project." href=/v1.8/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.8/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/about\/security-vulnerabilities\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/about\/security-vulnerabilities\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.8/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.8/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.8/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="Get a bit more in-depth info about the Istio project."><svg class="icon about"><use xlink:href="/v1.8/img/icons.svg#about"/></svg>About Istio</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Our Community"><button aria-hidden=true></button><a title="Learn about our community, our customers, and our partners." href=/v1.8/about/community/>Our Community</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on the various ways to participate and interact with the Istio community." href=/v1.8/about/community/join/>Getting Involved</a></li><li role=none><a role=treeitem title="Who's building stuff around Istio." href=/v1.8/about/community/partners/>Partners</a></li><li role=none><a role=treeitem title="Some of the companies that have adopted Istio." href=/v1.8/about/community/customers/>Who's using Istio</a></li></ul></li><li role=none><a role=treeitem title="List of features and their release stages." href=/v1.8/about/feature-stages/>Feature Status</a></li><li role=none><a role=treeitem title="How we manage, number, and support Istio releases." href=/v1.8/about/release-cadence/>Build & Release Cadence</a></li><li role=none><a role=treeitem title="What to do if you find a bug." href=/v1.8/about/bugs/>Reporting Bugs</a></li><li role=none><span role=treeitem class=current title="How we handle security vulnerabilities.">Security Vulnerabilities</span></li><li role=none><a role=treeitem title="The currently supported Istio releases." href=/v1.8/about/supported-releases/>Supported Releases</a></li><li role=none><a role=treeitem title="Official Istio resources for digital and printed materials." href=/v1.8/about/media-resources/>Media Resources</a></li><li role=treeitem aria-label="Contribute Documentation"><button aria-hidden=true></button><a title="Details how to create and maintain Istio documentation pages." href=/v1.8/about/contribute/>Contribute Documentation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use GitHub to contribute to the Istio documentation." href=/v1.8/about/contribute/github/>Work with GitHub</a></li><li role=none><a role=treeitem title="Details how to contribute new documentation to Istio." href=/v1.8/about/contribute/add-content/>Add New Documentation</a></li><li role=none><a role=treeitem title="Details how to contribute retired documentation to Istio." href=/v1.8/about/contribute/remove-content/>Remove Retired Documentation</a></li><li role=none><a role=treeitem title="Explains how to locally build, test, serve, and preview the website." href=/v1.8/about/contribute/build/>Build and serve the website locally</a></li><li role=none><a role=treeitem title="Explains the front matter used in our documentation and the fields available." href=/v1.8/about/contribute/front-matter/>Front matter</a></li><li role=none><a role=treeitem title="Shows you how changes to the Istio documentation and website are reviewed and approved." href=/v1.8/about/contribute/review/>Documentation Review Process</a></li><li role=none><a role=treeitem title="Explains how to include code in your documentation." href=/v1.8/about/contribute/code-blocks/>Add Code Blocks</a></li><li role=none><a role=treeitem title="Explains the shortcodes available and how to use them." href=/v1.8/about/contribute/shortcodes/>Use Shortcodes</a></li><li role=none><a role=treeitem title="Explains the standard markup used to format Istio documentation." href=/v1.8/about/contribute/formatting/>Follow Formatting Standards</a></li><li role=none><a role=treeitem title="Explains the style conventions used in the Istio documentation." href=/v1.8/about/contribute/style-guide/>Style Guide</a></li><li role=none><a role=treeitem title="Explains the terminology standards used in the Istio documentation." href=/v1.8/about/contribute/terminology/>Terminology Standards</a></li><li role=none><a role=treeitem title="Provides assets and instructions to create diagrams for the Istio documentation." href=/v1.8/about/contribute/diagrams/>Diagram Creation Guidelines</a></li></ul></li><li role=none><a role=treeitem title="List of recent changes to this website." href=/v1.8/about/log/>Website Content Changes</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.8/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.8/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.8/about/ title="Get a bit more in-depth info about the Istio project.">About</a></li><li>Security Vulnerabilities</li></ol></nav><article aria-labelledby=title><div class=title-area><i class=title-icon><svg class="icon vulnerabilities"><use xlink:href="/v1.8/img/icons.svg#vulnerabilities"/></svg></i><div style=width:100%><h1 id=title>Security Vulnerabilities</h1><p class=byline><span title="471 words"><svg class="icon clock"><use xlink:href="/v1.8/img/icons.svg#clock"/></svg><span>&nbsp;</span>3 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Reporting a vulnerability"><a href=#reporting-a-vulnerability>Reporting a vulnerability</a><ol><li role=none aria-label="When to report a security vulnerability?"><a href=#when-to-report-a-security-vulnerability>When to report a security vulnerability?</a><li role=none aria-label="When not to report a security vulnerability?"><a href=#when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</a></ol></li><li role=none aria-label=Evaluation><a href=#evaluation>Evaluation</a><li role=none aria-label="Fixing the issue"><a href=#fixing-the-issue>Fixing the issue</a><li role=none aria-label="Early disclosure"><a href=#early-disclosure>Early disclosure</a><li role=none aria-label="Public disclosure"><a href=#public-disclosure>Public disclosure</a></ol><hr></div></nav><p>We are very grateful to the security researchers and users that report
back Istio security vulnerabilities. We investigate every report thoroughly.</p><h2 id=reporting-a-vulnerability>Reporting a vulnerability</h2><p>To make a report, send an email to the private
<a href=mailto:istio-security-vulnerability-reports@googlegroups.com>istio-security-vulnerability-reports@googlegroups.com</a>
mailing list with the vulnerability details. For normal product bugs
unrelated to latent security vulnerabilities, please head to
our <a href=/v1.8/about/bugs/>Reporting Bugs</a> page to learn what to do.</p><h3 id=when-to-report-a-security-vulnerability>When to report a security vulnerability?</h3><p>Send us a report whenever you:</p><ul><li>Think Istio has a potential security vulnerability.</li><li>Are unsure whether or how a vulnerability affects Istio.</li><li>Think a vulnerability is present in another project that Istio
depends on. For example, Envoy, Docker, or Kubernetes.</li></ul><p>When in doubt, please disclose privately. This includes, but is not limited to:</p><ul><li>Any crash, especially in Envoy</li><li>Any security policy (like Authentication or Authorization) bypass or weakness</li><li>Any potential Denial of Service (DoS)</li></ul><h3 id=when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</h3><p>Don&rsquo;t send a vulnerability report if:</p><ul><li>You need help tuning Istio components for security.</li><li>You need help applying security related updates.</li><li>Your issue is not security related.</li></ul><h2 id=evaluation>Evaluation</h2><p>The Istio security team acknowledges and analyzes each vulnerability report within three
work days.</p><p>Any vulnerability information you share with the Istio security team stays
within the Istio project. We don&rsquo;t disseminate the information to other
projects. We only share the information as needed to fix the issue.</p><p>We keep the reporter updated as the status of the security issue moves
from <code>triaged</code>, to <code>identified fix</code>, to <code>release planning</code>.</p><h2 id=fixing-the-issue>Fixing the issue</h2><p>Once a security vulnerability has been fully characterized, a fix is developed by the Istio team.
The development and testing for the fix happens in a private GitHub repository in order to prevent
premature disclosure of the vulnerability.</p><h2 id=early-disclosure>Early disclosure</h2><p>The Istio project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable
information to close Istio partners. The list is not intended for individuals to find out about security issues.</p><p>See <a href=https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md>Early Disclosure of Security Vulnerabilities</a> to get more information.</p><h2 id=public-disclosure>Public disclosure</h2><p>On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:</p><ul><li><p>Changes are merged from the private GitHub repository holding the fix into the appropriate set of public
branches.</p></li><li><p>Release engineers ensure all necessary binaries are promptly built and published.</p></li><li><p>Once the binaries are available, an announcement is sent out on the following channels:</p><ul><li>The <a href=/v1.8/blog>Istio blog</a></li><li>The <a href=https://discuss.istio.io/c/announcements>Announcements</a> category on discuss.istio.io</li><li>The <a href=https://twitter.com/IstioMesh>Istio Twitter feed</a></li><li>The <a href=https://istio.slack.com/messages/CFXS256EQ/>#announcements channel on Slack</a></li></ul></li></ul><p>As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to
upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday.
This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.</p></article><nav class=pagenav><div class=left><a title="What to do if you find a bug." href=/v1.8/about/bugs/><svg class="icon left-arrow"><use xlink:href="/v1.8/img/icons.svg#left-arrow"/></svg>Reporting Bugs</a></div><div class=right><a title="The currently supported Istio releases." href=/v1.8/about/supported-releases/>Supported Releases<svg class="icon right-arrow"><use xlink:href="/v1.8/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Reporting a vulnerability"><a href=#reporting-a-vulnerability>Reporting a vulnerability</a><ol><li role=none aria-label="When to report a security vulnerability?"><a href=#when-to-report-a-security-vulnerability>When to report a security vulnerability?</a><li role=none aria-label="When not to report a security vulnerability?"><a href=#when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</a></ol></li><li role=none aria-label=Evaluation><a href=#evaluation>Evaluation</a><li role=none aria-label="Fixing the issue"><a href=#fixing-the-issue>Fixing the issue</a><li role=none aria-label="Early disclosure"><a href=#early-disclosure>Early disclosure</a><li role=none aria-label="Public disclosure"><a href=#public-disclosure>Public disclosure</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.8.3 now" href=/v1.8/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.8/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.8/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.8/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.8/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.8/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.8.3<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on February 9, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.8/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.8/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.8/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.8/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink