istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/news/security/istio-security-2020-007/index.html

51 lines
50 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="ISTIO-SECURITY-2020-007"><meta name=description content="Multiple denial of service vulnerabilities in Envoy."><meta name=keywords content="microservices,services,mesh,CVE"><meta property="og:title" content="ISTIO-SECURITY-2020-007"><meta property="og:type" content="website"><meta property="og:description" content="Multiple denial of service vulnerabilities in Envoy."><meta property="og:url" content="/v1.9/news/security/istio-security-2020-007/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / ISTIO-SECURITY-2020-007</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="ISTIO-SECURITY-2020-007";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a class=current title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/news\/security\/istio-security-2020-007\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/news\/security\/istio-security-2020-007\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Disclosed security vulnerabilities and their mitigation." aria-controls=card0-body>Security Bulletins</button><div class="body default" aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules (May 11, 2021)" href=/v1.9/news/security/istio-security-2021-005/>ISTIO-SECURITY-2021-005</a></li><li role=none><a role=treeitem title="An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration (May 11, 2021)" href=/v1.9/news/security/istio-security-2021-006/>ISTIO-SECURITY-2021-006</a></li><li role=none><a role=treeitem title="Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic (April 15, 2021)" href=/v1.9/news/security/istio-security-2021-004/>ISTIO-SECURITY-2021-004</a></li><li role=none><a role=treeitem title="(April 15, 2021)" href=/v1.9/news/security/istio-security-2021-003/>ISTIO-SECURITY-2021-003</a></li><li role=none><a role=treeitem title="Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports (April 7, 2021)" href=/v1.9/news/security/istio-security-2021-002/>ISTIO-SECURITY-2021-002</a></li><li role=none><a role=treeitem title="JWT authentication can be bypassed when AuthorizationPolicy is misused (March 1, 2021)" href=/v1.9/news/security/istio-security-2021-001/>ISTIO-SECURITY-2021-001</a></li><li role=none><a role=treeitem title="Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections (November 21, 2020)" href=/v1.9/news/security/istio-security-2020-011/>ISTIO-SECURITY-2020-011</a></li><li role=none><a role=treeitem title="(September 29, 2020)" href=/v1.9/news/security/istio-security-2020-010/>ISTIO-SECURITY-2020-010</a></li><li role=none><a role=treeitem title="Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services (August 11, 2020)" href=/v1.9/news/security/istio-security-2020-009/>ISTIO-SECURITY-2020-009</a></li><li role=none><a role=treeitem title="Incorrect validation of wildcard DNS Subject Alternative Names (July 9, 2020)" href=/v1.9/news/security/istio-security-2020-008/>ISTIO-SECURITY-2020-008</a></li><li role=none><span role=treeitem class=current title="Multiple denial of service vulnerabilities in Envoy (June 30, 2020)">ISTIO-SECURITY-2020-007</span></li><li role=none><a role=treeitem title="Denial of service in the HTTP2 library used by Envoy (June 11, 2020)" href=/v1.9/news/security/istio-security-2020-006/>ISTIO-SECURITY-2020-006</a></li><li role=none><a role=treeitem title="Denial of service affecting telemetry v2 (May 12, 2020)" href=/v1.9/news/security/istio-security-2020-005/>ISTIO-SECURITY-2020-005</a></li><li role=none><a role=treeitem title="Default Kiali security configuration allows full control of mesh (March 25, 2020)" href=/v1.9/news/security/istio-security-2020-004/>ISTIO-SECURITY-2020-004</a></li><li role=none><a role=treeitem title="Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy (March 3, 2020)" href=/v1.9/news/security/istio-security-2020-003/>ISTIO-SECURITY-2020-003</a></li><li role=none><a role=treeitem title="Mixer policy check bypass caused by improperly accepting certain request headers (February 11, 2020)" href=/v1.9/news/security/istio-security-2020-002/>ISTIO-SECURITY-2020-002</a></li><li role=none><a role=treeitem title="Authentication Policy bypass (February 11, 2020)" href=/v1.9/news/security/istio-security-2020-001/>ISTIO-SECURITY-2020-001</a></li><li role=none><a role=treeitem title="Heap overflow and improper input validation in Envoy (December 10, 2019)" href=/v1.9/news/security/istio-security-2019-007/>ISTIO-SECURITY-2019-007</a></li><li role=none><a role=treeitem title="Denial of service (November 7, 2019)" href=/v1.9/news/security/istio-security-2019-006/>ISTIO-SECURITY-2019-006</a></li><li role=none><a role=treeitem title="Denial of service caused by the presence of numerous HTTP headers in client requests (October 8, 2019)" href=/v1.9/news/security/istio-security-2019-005/>ISTIO-SECURITY-2019-005</a></li><li role=none><a role=treeitem title="An erroneous 1.2.4 sidecar image was available due to a faulty release operation (September 10, 2019)" href=/v1.9/news/security/incorrect-sidecar-image-1.2.4/>Istio 1.2.4 sidecar image vulnerability</a></li><li role=none><a role=treeitem title="Denial of service in regular expression parsing (August 13, 2019)" href=/v1.9/news/security/istio-security-2019-003/>ISTIO-SECURITY-2019-003</a></li><li role=none><a role=treeitem title="Multiple denial of service vulnerabilities related to HTTP2 support in Envoy (August 13, 2019)" href=/v1.9/news/security/istio-security-2019-004/>ISTIO-SECURITY-2019-004</a></li><li role=none><a role=treeitem title="Denial of service affecting JWT access token parsing (June 28, 2019)" href=/v1.9/news/security/istio-security-2019-002/>ISTIO-SECURITY-2019-002</a></li><li role=none><a role=treeitem title="Incorrect access control (May 28, 2019)" href=/v1.9/news/security/istio-security-2019-001/>ISTIO-SECURITY-2019-001</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Announcements for all of Istio's major releases and patch releases." aria-controls=card1-body>Release Announcements</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true aria-labelledby=card1><li role=treeitem aria-label="1.9.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.9 release and its associated patch releases." href=/v1.9/news/releases/1.9.x/>1.9.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.9.5 patch release (May 11, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9.5/>1.9.5</a></li><li role=none><a role=treeitem title="Istio 1.9.4 patch release (April 27, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9.4/>1.9.4</a></li><li role=none><a role=treeitem title="Istio 1.9.3 patch release (April 15, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9.3/>1.9.3</a></li><li role=none><a role=treeitem title="Istio 1.9.2 patch release (March 25, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9.2/>1.9.2</a></li><li role=none><a role=treeitem title="Istio 1.9.1 patch release (March 1, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9.1/>1.9.1</a></li><li role=treeitem aria-label=1.9><button aria-hidden=true></button><a title="Istio 1.9 release announcement (February 9, 2021)" href=/v1.9/news/releases/1.9.x/announcing-1.9/>1.9</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.9.0 release notes." href=/v1.9/news/releases/1.9.x/announcing-1.9/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.9.0." href=/v1.9/news/releases/1.9.x/announcing-1.9/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.8.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.8 release and its associated patch releases." href=/v1.9/news/releases/1.8.x/>1.8.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.8.6 patch release (May 11, 2021)" href=/v1.9/news/releases/1.8.x/announcing-1.8.6/>1.8.6</a></li><li role=none><a role=treeitem title="Istio 1.8.5 patch release (April 15, 2021)" href=/v1.9/news/releases/1.8.x/announcing-1.8.5/>1.8.5</a></li><li role=none><a role=treeitem title="Istio 1.8.4 patch release (March 10, 2021)" href=/v1.9/news/releases/1.8.x/announcing-1.8.4/>1.8.4</a></li><li role=none><a role=treeitem title="Istio 1.8.3 patch release (February 8, 2021)" href=/v1.9/news/releases/1.8.x/announcing-1.8.3/>1.8.3</a></li><li role=none><a role=treeitem title="Istio 1.8.2 patch release (January 14, 2021)" href=/v1.9/news/releases/1.8.x/announcing-1.8.2/>1.8.2</a></li><li role=none><a role=treeitem title="Istio 1.8.1 patch release (December 8, 2020)" href=/v1.9/news/releases/1.8.x/announcing-1.8.1/>1.8.1</a></li><li role=treeitem aria-label=1.8><button aria-hidden=true></button><a title="Istio 1.8 release announcement (November 19, 2020)" href=/v1.9/news/releases/1.8.x/announcing-1.8/>1.8</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.8 release notes." href=/v1.9/news/releases/1.8.x/announcing-1.8/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.8." href=/v1.9/news/releases/1.8.x/announcing-1.8/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.7.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.7 release and its associated patch releases." href=/v1.9/news/releases/1.7.x/>1.7.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.7.8 patch release (February 25, 2021)" href=/v1.9/news/releases/1.7.x/announcing-1.7.8/>1.7.8</a></li><li role=none><a role=treeitem title="Istio 1.7.7 patch release (January 29, 2021)" href=/v1.9/news/releases/1.7.x/announcing-1.7.7/>1.7.7</a></li><li role=none><a role=treeitem title="Istio 1.7.6 patch release (December 10, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.6/>1.7.6</a></li><li role=none><a role=treeitem title="Istio 1.7.5 patch release (November 19, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.5/>1.7.5</a></li><li role=none><a role=treeitem title="Istio 1.7.4 patch release (October 27, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.4/>1.7.4</a></li><li role=none><a role=treeitem title="Istio 1.7.3 security release (September 29, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.3/>1.7.3</a></li><li role=none><a role=treeitem title="Istio 1.7.2 patch release (September 18, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.2/>1.7.2</a></li><li role=none><a role=treeitem title="Istio 1.7.1 patch release (September 10, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7.1/>1.7.1</a></li><li role=treeitem aria-label=1.7><button aria-hidden=true></button><a title="Istio 1.7 release announcement (August 21, 2020)" href=/v1.9/news/releases/1.7.x/announcing-1.7/>1.7</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.7 release notes." href=/v1.9/news/releases/1.7.x/announcing-1.7/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.7." href=/v1.9/news/releases/1.7.x/announcing-1.7/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.6.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.6 release and its associated patch releases." href=/v1.9/news/releases/1.6.x/>1.6.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.6.14 patch release (November 23, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.14/>1.6.14</a></li><li role=none><a role=treeitem title="Istio 1.6.13 patch release (October 27, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.13/>1.6.13</a></li><li role=none><a role=treeitem title="Istio 1.6.12 patch release (October 6, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.12/>1.6.12</a></li><li role=none><a role=treeitem title="Istio 1.6.11 security release (September 29, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.11/>1.6.11</a></li><li role=none><a role=treeitem title="Istio 1.6.10 patch release (September 22, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.10/>1.6.10</a></li><li role=none><a role=treeitem title="Istio 1.6.9 patch release (September 9, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.9/>1.6.9</a></li><li role=none><a role=treeitem title="Istio 1.6.8 patch release (August 11, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.8/>1.6.8</a></li><li role=none><a role=treeitem title="Istio 1.6.7 patch release (July 30, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.7/>1.6.7</a></li><li role=none><a role=treeitem title="Istio 1.6.6 patch release (July 29, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.6/>1.6.6</a></li><li role=none><a role=treeitem title="Istio 1.6.5 patch release (July 9, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.5/>1.6.5</a></li><li role=none><a role=treeitem title="Istio 1.6.4 security release (June 30, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.4/>1.6.4</a></li><li role=none><a role=treeitem title="Istio 1.6.3 patch release (June 18, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.3/>1.6.3</a></li><li role=none><a role=treeitem title="Istio 1.6.2 security release (June 11, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.2/>1.6.2</a></li><li role=none><a role=treeitem title="Istio 1.6.1 patch release (June 4, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6.1/>1.6.1</a></li><li role=treeitem aria-label=1.6><button aria-hidden=true></button><a title="Istio 1.6 release announcement (May 21, 2020)" href=/v1.9/news/releases/1.6.x/announcing-1.6/>1.6</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.6 release notes." href=/v1.9/news/releases/1.6.x/announcing-1.6/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.6." href=/v1.9/news/releases/1.6.x/announcing-1.6/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.5.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.5 release and its associated patch releases." href=/v1.9/news/releases/1.5.x/>1.5.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.5.10 patch release (August 24, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.10/>1.5.10</a></li><li role=none><a role=treeitem title="Istio 1.5.9 security release (August 11, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.9/>1.5.9</a></li><li role=none><a role=treeitem title="Istio 1.5.8 security release (July 9, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.8/>1.5.8</a></li><li role=none><a role=treeitem title="Istio 1.5.7 security release (June 30, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.7/>1.5.7</a></li><li role=none><a role=treeitem title="Istio 1.5.6 patch release (June 17, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.6/>1.5.6</a></li><li role=none><a role=treeitem title="Istio 1.5.5 security release (June 11, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.5/>1.5.5</a></li><li role=none><a role=treeitem title="Istio 1.5.4 security release (May 13, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.4/>1.5.4</a></li><li role=none><a role=treeitem title="Istio 1.5.3 security release (May 12, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.3/>1.5.3</a></li><li role=none><a role=treeitem title="Istio 1.5.2 patch release (April 24, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.2/>1.5.2</a></li><li role=none><a role=treeitem title="Istio 1.5.1 patch release (March 25, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5.1/>1.5.1</a></li><li role=treeitem aria-label=1.5><button aria-hidden=true></button><a title="Istio 1.5 release announcement (March 5, 2020)" href=/v1.9/news/releases/1.5.x/announcing-1.5/>1.5</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.5 release notes." href=/v1.9/news/releases/1.5.x/announcing-1.5/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.5." href=/v1.9/news/releases/1.5.x/announcing-1.5/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.4.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.4 release and its associated patch releases." href=/v1.9/news/releases/1.4.x/>1.4.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.4.10 security release (June 22, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.10/>1.4.10</a></li><li role=none><a role=treeitem title="Istio 1.4.9 patch release (May 12, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.9/>1.4.9</a></li><li role=none><a role=treeitem title="Istio 1.4.8 patch release (April 23, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.8/>1.4.8</a></li><li role=none><a role=treeitem title="Istio 1.4.7 patch release (March 25, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.7/>1.4.7</a></li><li role=none><a role=treeitem title="Istio 1.4.6 patch release (March 3, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.6/>1.4.6</a></li><li role=none><a role=treeitem title="Istio 1.4.5 patch release (February 18, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.5/>1.4.5</a></li><li role=none><a role=treeitem title="Istio 1.4.4 patch release (February 11, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.4/>1.4.4</a></li><li role=none><a role=treeitem title="Istio 1.4.3 patch release (January 8, 2020)" href=/v1.9/news/releases/1.4.x/announcing-1.4.3/>1.4.3</a></li><li role=none><a role=treeitem title="Istio 1.4.2 patch release (December 10, 2019)" href=/v1.9/news/releases/1.4.x/announcing-1.4.2/>1.4.2</a></li><li role=none><a role=treeitem title="Istio 1.4.1 patch release (December 5, 2019)" href=/v1.9/news/releases/1.4.x/announcing-1.4.1/>1.4.1</a></li><li role=treeitem aria-label=1.4><button aria-hidden=true></button><a title="Istio 1.4 release announcement (November 14, 2019)" href=/v1.9/news/releases/1.4.x/announcing-1.4/>1.4</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.4 release notes." href=/v1.9/news/releases/1.4.x/announcing-1.4/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.4." href=/v1.9/news/releases/1.4.x/announcing-1.4/upgrade-notes/>Upgrade Notes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.3.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.3 release and its associated patch releases." href=/v1.9/news/releases/1.3.x/>1.3.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.3.8 patch release (February 11, 2020)" href=/v1.9/news/releases/1.3.x/announcing-1.3.8/>1.3.8</a></li><li role=none><a role=treeitem title="Istio 1.3.7 patch release (February 4, 2020)" href=/v1.9/news/releases/1.3.x/announcing-1.3.7/>1.3.7</a></li><li role=none><a role=treeitem title="Istio 1.3.6 patch release (December 10, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.6/>1.3.6</a></li><li role=none><a role=treeitem title="Istio 1.3.5 patch release (November 11, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.5/>1.3.5</a></li><li role=none><a role=treeitem title="Istio 1.3.4 patch release (November 1, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.4/>1.3.4</a></li><li role=none><a role=treeitem title="Istio 1.3.3 patch release (October 14, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.3/>1.3.3</a></li><li role=none><a role=treeitem title="Istio 1.3.2 patch release (October 8, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.2/>1.3.2</a></li><li role=none><a role=treeitem title="Istio 1.3.1 patch release (September 27, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3.1/>1.3.1</a></li><li role=treeitem aria-label=1.3><button aria-hidden=true></button><a title="Istio 1.3 release announcement (September 12, 2019)" href=/v1.9/news/releases/1.3.x/announcing-1.3/>1.3</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.3 release notes." href=/v1.9/news/releases/1.3.x/announcing-1.3/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes to consider when upgrading to Istio 1.3." href=/v1.9/news/releases/1.3.x/announcing-1.3/upgrade-notes/>Upgrade Notes</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3." href=/v1.9/news/releases/1.3.x/announcing-1.3/helm-changes/>Helm Changes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.2.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.2 release and its associated patch releases." href=/v1.9/news/releases/1.2.x/>1.2.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.2.10 patch release (December 10, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.10/>1.2.10</a></li><li role=none><a role=treeitem title="Istio 1.2.9 patch release (November 6, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.9/>1.2.9</a></li><li role=none><a role=treeitem title="Istio 1.2.8 patch release (October 23, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.8/>1.2.8</a></li><li role=none><a role=treeitem title="Istio 1.2.7 patch release (October 8, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.7/>1.2.7</a></li><li role=none><a role=treeitem title="Istio 1.2.6 patch release (September 17, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.6/>1.2.6</a></li><li role=none><a role=treeitem title="Istio 1.2.5 patch release (August 26, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.5/>1.2.5</a></li><li role=none><a role=treeitem title="Istio 1.2.4 patch release (August 13, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.4/>1.2.4</a></li><li role=none><a role=treeitem title="Istio 1.2.3 patch release (August 2, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.3/>1.2.3</a></li><li role=none><a role=treeitem title="Istio 1.2.2 patch release (June 28, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.2/>1.2.2</a></li><li role=none><a role=treeitem title="Istio 1.2.1 patch release (June 27, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2.1/>1.2.1</a></li><li role=treeitem aria-label=1.2><button aria-hidden=true></button><a title="Istio 1.2 release announcement (June 18, 2019)" href=/v1.9/news/releases/1.2.x/announcing-1.2/>1.2</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.2 release notes." href=/v1.9/news/releases/1.2.x/announcing-1.2/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.2." href=/v1.9/news/releases/1.2.x/announcing-1.2/upgrade-notes/>Upgrade Notes</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2." href=/v1.9/news/releases/1.2.x/announcing-1.2/helm-changes/>Helm Changes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.1.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.1 release and its associated patch releases." href=/v1.9/news/releases/1.1.x/>1.1.x Releases</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Istio 1.1.17 patch release (October 21, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.17/>1.1.17</a></li><li role=none><a role=treeitem title="Istio 1.1.16 patch release (October 8, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.16/>1.1.16</a></li><li role=none><a role=treeitem title="Istio 1.1.15 patch release (September 16, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.15/>1.1.15</a></li><li role=none><a role=treeitem title="Istio 1.1.14 patch release (August 26, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.14/>1.1.14</a></li><li role=none><a role=treeitem title="Istio 1.1.13 patch release (August 13, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.13/>1.1.13</a></li><li role=none><a role=treeitem title="Istio 1.1.12 patch release (August 2, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.12/>1.1.12</a></li><li role=none><a role=treeitem title="Istio 1.1.11 patch release (July 3, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.11/>1.1.11</a></li><li role=none><a role=treeitem title="Istio 1.1.10 patch release (June 28, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.10/>1.1.10</a></li><li role=none><a role=treeitem title="Istio 1.1.9 patch release (June 17, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.9/>1.1.9</a></li><li role=none><a role=treeitem title="Istio 1.1.8 patch release (June 6, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.8/>1.1.8</a></li><li role=none><a role=treeitem title="Istio 1.1.7 patch release (May 17, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.7/>1.1.7</a></li><li role=none><a role=treeitem title="Istio 1.1.6 patch release (May 11, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.6/>1.1.6</a></li><li role=none><a role=treeitem title="Istio 1.1.5 patch release (May 3, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.5/>1.1.5</a></li><li role=none><a role=treeitem title="Istio 1.1.4 patch release (April 24, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.4/>1.1.4</a></li><li role=none><a role=treeitem title="Istio 1.1.3 patch release (April 15, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.3/>1.1.3</a></li><li role=none><a role=treeitem title="Istio 1.1.2 patch release (April 5, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.2/>1.1.2</a></li><li role=none><a role=treeitem title="Istio 1.1.1 patch release (March 25, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1.1/>1.1.1</a></li><li role=treeitem aria-label=1.1><button aria-hidden=true></button><a title="Istio 1.1 release announcement (March 19, 2019)" href=/v1.9/news/releases/1.1.x/announcing-1.1/>1.1</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.1 release notes." href=/v1.9/news/releases/1.1.x/announcing-1.1/change-notes/>Change Notes</a></li><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.1." href=/v1.9/news/releases/1.1.x/announcing-1.1/upgrade-notes/>Upgrade Notes</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1." href=/v1.9/news/releases/1.1.x/announcing-1.1/helm-changes/>Helm Changes</a></li></ul></li></ul></li><li role=treeitem aria-label="1.0.x Releases"><button aria-hidden=true></button><a title="Announcements for the 1.0 release and its associated patch releases." href=/v1.9/news/releases/1.0.x/>1.0.x Releases</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 1.0.9 patch release (June 28, 2019)" href=/v1.9/news/releases/1.0.x/announcing-1.0.9/>1.0.9</a></li><li role=none><a role=treeitem title="Istio 1.0.8 patch release (June 7, 2019)" href=/v1.9/news/releases/1.0.x/announcing-1.0.8/>1.0.8</a></li><li role=none><a role=treeitem title="Istio 1.0.7 patch release (April 5, 2019)" href=/v1.9/news/releases/1.0.x/announcing-1.0.7/>1.0.7</a></li><li role=none><a role=treeitem title="Istio 1.0.6 patch release (February 12, 2019)" href=/v1.9/news/releases/1.0.x/announcing-1.0.6/>1.0.6</a></li><li role=none><a role=treeitem title="Istio 1.0.5 patch release (December 20, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0.5/>1.0.5</a></li><li role=none><a role=treeitem title="Istio 1.0.4 patch release (November 21, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0.4/>1.0.4</a></li><li role=none><a role=treeitem title="Istio 1.0.3 patch release (October 30, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0.3/>1.0.3</a></li><li role=none><a role=treeitem title="Istio 1.0.2 patch release (September 6, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0.2/>1.0.2</a></li><li role=none><a role=treeitem title="Istio 1.0.1 patch release (August 29, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0.1/>1.0.1</a></li><li role=none><a role=treeitem title="Istio is ready for production use with its 1.0 release (July 31, 2018)" href=/v1.9/news/releases/1.0.x/announcing-1.0/>1.0</a></li></ul></li><li role=treeitem aria-label="0.x Releases"><button aria-hidden=true></button><a title="Announcements for the early releases of Istio." href=/v1.9/news/releases/0.x/>0.x Releases</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio 0.8 announcement (June 1, 2018)" href=/v1.9/news/releases/0.x/announcing-0.8/>0.8</a></li><li role=none><a role=treeitem title="Istio 0.7 announcement (March 28, 2018)" href=/v1.9/news/releases/0.x/announcing-0.7/>0.7</a></li><li role=none><a role=treeitem title="Istio 0.6 announcement (March 8, 2018)" href=/v1.9/news/releases/0.x/announcing-0.6/>0.6</a></li><li role=none><a role=treeitem title="Istio 0.5 announcement (February 2, 2018)" href=/v1.9/news/releases/0.x/announcing-0.5/>0.5</a></li><li role=none><a role=treeitem title="Istio 0.4 announcement (December 18, 2017)" href=/v1.9/news/releases/0.x/announcing-0.4/>0.4</a></li><li role=none><a role=treeitem title="Istio 0.3 announcement (November 29, 2017)" href=/v1.9/news/releases/0.x/announcing-0.3/>0.3</a></li><li role=none><a role=treeitem title="Istio 0.2 announcement (October 10, 2017)" href=/v1.9/news/releases/0.x/announcing-0.2/>0.2</a></li><li role=none><a role=treeitem title="Istio 0.1 announcement (May 24, 2017)" href=/v1.9/news/releases/0.x/announcing-0.1/>0.1</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card11 title="Support window announcements." aria-controls=card11-body>Support Announcements</button><div class=body aria-labelledby=card11 role=region id=card11-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card11><li role=none><a role=treeitem title="Istio 1.8 end of life announcement (May 12, 2021)" href=/v1.9/news/support/announcing-1.8-eol-final/>Support for Istio 1.8 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.8 end of life announcement (April 12, 2021)" href=/v1.9/news/support/announcing-1.8-eol/>Support for Istio 1.8 ends on May 12th, 2021</a></li><li role=none><a role=treeitem title="Istio 1.7 end of life announcement (February 25, 2021)" href=/v1.9/news/support/announcing-1.7-eol-final/>Support for Istio 1.7 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.7 end of life announcement (January 19, 2021)" href=/v1.9/news/support/announcing-1.7-eol/>Support for Istio 1.7 ends on February 19th, 2021</a></li><li role=none><a role=treeitem title="Istio 1.6 end of life announcement (November 23, 2020)" href=/v1.9/news/support/announcing-1.6-eol-final/>Support for Istio 1.6 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.6 end of life announcement (October 20, 2020)" href=/v1.9/news/support/announcing-1.6-eol/>Support for Istio 1.6 ends on November 21st, 2020</a></li><li role=none><a role=treeitem title="Istio 1.5 end of life announcement (August 24, 2020)" href=/v1.9/news/support/announcing-1.5-eol-final/>Support for Istio 1.5 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.5 end of life announcement (July 22, 2020)" href=/v1.9/news/support/announcing-1.5-eol/>Support for Istio 1.5 ends on August 21st, 2020</a></li><li role=none><a role=treeitem title="Istio 1.4 end of life announcement (June 5, 2020)" href=/v1.9/news/support/announcing-1.4-eol-final/>Support for Istio 1.4 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.4 end of life announcement (May 5, 2020)" href=/v1.9/news/support/announcing-1.4-eol/>Support for Istio 1.4 ends on June 5th, 2020</a></li><li role=none><a role=treeitem title="Istio 1.3 end of life announcement (February 14, 2020)" href=/v1.9/news/support/announcing-1.3-eol-final/>Support for Istio 1.3 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.3 end of life announcement (January 15, 2020)" href=/v1.9/news/support/announcing-1.3-eol/>Support for Istio 1.3 ends on February 14th, 2020</a></li><li role=none><a role=treeitem title="Istio 1.2 end of life announcement (December 13, 2019)" href=/v1.9/news/support/announcing-1.2-eol-final/>Support for Istio 1.2 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.2 end of life announcement (November 11, 2019)" href=/v1.9/news/support/announcing-1.2-eol/>Support for Istio 1.2 ends on December 13th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.1 end of life announcement (October 21, 2019)" href=/v1.9/news/support/announcing-1.1-eol-final/>Support for Istio 1.1 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.1 end of life announcement (August 15, 2019)" href=/v1.9/news/support/announcing-1.1-eol/>Support for Istio 1.1 ends on September 19th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.0 end of life announcement (June 19, 2019)" href=/v1.9/news/support/announcing-1.0-eol-final/>Support for Istio 1.0 has ended</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.0 end of life announcement (May 23, 2019)" href=/v1.9/news/support/announcing-1.0-eol/>Support for Istio 1.0 ends on June 19th, 2019</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/news/ title="Timely news about the Istio project.">News</a></li><li><a href=/v1.9/news/security/ title="Disclosed security vulnerabilities and their mitigation.">Security Bulletins</a></li><li>ISTIO-SECURITY-2020-007</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>ISTIO-SECURITY-2020-007</h1><p class=subtitle>Security Bulletin</p><p class=byline><span><svg class="icon calendar"><use xlink:href="/v1.9/img/icons.svg#calendar"/></svg><span>&nbsp;</span>June 30, 2020</span><span> | </span><span title="334 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>2 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Mitigation><a href=#mitigation>Mitigation</a><li role=none aria-label="Reporting vulnerabilities"><a href=#reporting-vulnerabilities>Reporting vulnerabilities</a></ol><hr></div></nav><table><thead><tr><th colspan=2>Disclosure Details</th></tr></thead><tbody><tr><td>CVE(s)</td><td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12603">CVE-2020-12603</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12605">CVE-2020-12605</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8663">CVE-2020-8663</a><br><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12604">CVE-2020-12604</a><br></td></tr><tr><td>CVSS Impact Score</td><td>7.5 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV%3aN%2fAC%3aL%2fPR%3aN%2fUI%3aN%2fS%3aU%2fC%3aN%2fI%3aN%2fA%3aH">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></td></tr><tr><td>Affected Releases</td><td>1.5 to 1.5.6<br>1.6 to 1.6.3<br></td></tr></tbody></table><p>Envoy, and subsequently Istio, are vulnerable to four newly discovered vulnerabilities:</p><ul><li><p><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12603">CVE-2020-12603</a></strong>:
By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.</p><ul><li>CVSS Score: 7.0 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></li></ul></li><li><p><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12605">CVE-2020-12605</a></strong>:
An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.</p><ul><li>CVSS Score: 7.0 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></li></ul></li><li><p><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8663">CVE-2020-8663</a></strong>:
An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.</p><ul><li>CVSS Score: 7.0 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></li></ul></li><li><p><strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12604">CVE-2020-12604</a></strong>:
An attacker could cause increased memory usage when processing specially crafted packets.</p><ul><li>CVSS Score: 5.3 <a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1">AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</a></li></ul></li></ul><h2 id=mitigation>Mitigation</h2><ul><li>For Istio 1.5.x deployments: update to <a href=/v1.9/news/releases/1.5.x/announcing-1.5.7>Istio 1.5.7</a> or later.</li><li>For Istio 1.6.x deployments: update to <a href=/v1.9/news/releases/1.6.x/announcing-1.6.4>Istio 1.6.4</a> or later.</li></ul><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-warning"/></svg></div><div class=content>You must take the following additional steps to mitigate CVE-2020-8663.</div></aside></div><p>CVE-2020-8663 is addressed in Envoy by adding a configurable limit on <a href=https://www.envoyproxy.io/docs/envoy/v1.14.3/configuration/operations/overload_manager/overload_manager#limiting-active-connections>downstream connections</a>. The limit must be configured to mitigate this vulnerability. Perform the following steps to configure limits at the ingress gateway.</p><ol><li><p>Create a config map by downloading <a href=/v1.9/news/security/istio-security-2020-007/custom-bootstrap-runtime.yaml>custom-bootstrap-runtime.yaml</a>. Update <code>global_downstream_max_connections</code> in the config map according to the number of concurrent connections needed by individual gateway instances in your deployment. Once the limit is reached, Envoy will start rejecting tcp connections.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system apply -f custom-bootstrap-runtime.yaml
</code></pre></li><li><p>Patch the ingress gateway deployment to use the above configuration. Download <a href=/v1.9/news/security/istio-security-2020-007/gateway-patch.yaml>gateway-patch.yaml</a> and apply it using the following command.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl --namespace istio-system patch deployment istio-ingressgateway --patch &#34;$(cat gateway-patch.yaml)&#34;
</code></pre></li><li><p>Confirm that the new limits are in place.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ ISTIO_INGRESS_PODNAME=$(kubectl get pods -l app=istio-ingressgateway -n istio-system -o jsonpath=&#34;{.items[0].metadata.name}&#34;)
$ kubectl --namespace istio-system exec -i -t ${ISTIO_INGRESS_PODNAME} -c istio-proxy -- curl -sS http://localhost:15000/runtime
{
&#34;entries&#34;: {
&#34;overload.global_downstream_max_connections&#34;: {
&#34;layer_values&#34;: [
&#34;&#34;,
&#34;250000&#34;,
&#34;&#34;
],
&#34;final_value&#34;: &#34;250000&#34;
}
},
&#34;layers&#34;: [
&#34;static_layer_0&#34;,
&#34;admin&#34;
]
}
</code></pre></li></ol><h2 id=reporting-vulnerabilities>Reporting vulnerabilities</h2><p>Wed like to remind our community to follow the <a href=/v1.9/about/security-vulnerabilities/>vulnerability reporting process</a> to report any bug that can result in a
security vulnerability.</article><nav class=pagenav><div class=left><a title="Incorrect validation of wildcard DNS Subject Alternative Names." href=/v1.9/news/security/istio-security-2020-008/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>ISTIO-SECURITY-2020-008</a></div><div class=right><a title="Denial of service in the HTTP2 library used by Envoy." href=/v1.9/news/security/istio-security-2020-006/>ISTIO-SECURITY-2020-006<svg class="icon right-arrow"><use xlink:href="/v1.9/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Mitigation><a href=#mitigation>Mitigation</a><li role=none aria-label="Reporting vulnerabilities"><a href=#reporting-vulnerabilities>Reporting vulnerabilities</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink