istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.1/about/security-vulnerabilities/index.html

37 lines
20 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Security Vulnerabilities"><meta name=description content="How we handle security vulnerabilities."><meta name=keywords content=microservices,services,mesh><meta property=og:title content="Security Vulnerabilities"><meta property=og:type content=website><meta property=og:description content="How we handle security vulnerabilities."><meta property=og:url content=/v1.1/about/security-vulnerabilities/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Security Vulnerabilities</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Security Vulnerabilities";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.1/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
<a title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.1/help/>Help</a>
<span title="Get a bit more in-depth info about the Istio project.">About</span><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/about\/security-vulnerabilities\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/about\/security-vulnerabilities\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.1/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><div id=header0 class=header title="Get a bit more in-depth info about the Istio project."><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#about"/></svg>About Istio</div><div class="body default" aria-labelledby=header0><ul role=tree aria-expanded=true aria-labelledby=header0><li role=treeitem aria-label="Release Notes"><button aria-hidden=true></button><a title="Description of features and improvements for every Istio release." href=/v1.1/about/notes/>Release Notes</a><ul role=group aria-expanded=false><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.9/>Istio 1.1.9</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.8/>Istio 1.0.8</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.8/>Istio 1.1.8</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.7/>Istio 1.1.7</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.6/>Istio 1.1.6</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.5/>Istio 1.1.5</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.4/>Istio 1.1.4</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.3/>Istio 1.1.3</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.7/>Istio 1.0.7</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.2/>Istio 1.1.2</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1.1/>Istio 1.1.1</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.1/>Istio 1.1</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.6/>Istio 1.0.6</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.5/>Istio 1.0.5</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.4/>Istio 1.0.4</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.3/>Istio 1.0.3</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.2/>Istio 1.0.2</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0.1/>Istio 1.0.1</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/1.0/>Istio 1.0</a></li><li role=treeitem aria-label="Older Notes"><button aria-hidden=true></button><a title="Notes from older releases of Istio." href=/v1.1/about/notes/older/>Older Notes</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.8/>Istio 0.8</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.7/>Istio 0.7</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.6/>Istio 0.6</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.5/>Istio 0.5</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.4/>Istio 0.4</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.3/>Istio 0.3</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.2/>Istio 0.2</a></li><li role=none><a role=treeitem href=/v1.1/about/notes/older/0.1/>Istio 0.1</a></li></ul></li></ul></li><li role=none><a role=treeitem title="How we manage, number, and support Istio releases." href=/v1.1/about/release-cadence/>Build &amp; Release Cadence</a></li><li role=none><a role=treeitem title="List of features and their release stages." href=/v1.1/about/feature-stages/>Feature Status</a></li><li role=treeitem aria-label="Our Community"><button aria-hidden=true></button><a title="Learn about our community, our customers, and our partners." href=/v1.1/about/community/>Our Community</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on the various ways to participate and interact with the Istio community." href=/v1.1/about/community/join/>Getting Involved</a></li><li role=none><a role=treeitem title="Who's building stuff around Istio." href=/v1.1/about/community/partners/>Partners</a></li><li role=none><a role=treeitem title="Who's using Istio out there." href=/v1.1/about/community/customers/>Istio in Action</a></li></ul></li><li role=none><a role=treeitem title="What to do if you find a bug." href=/v1.1/about/bugs/>Reporting Bugs</a></li><li role=none><span role=treeitem class=current title="How we handle security vulnerabilities.">Security Vulnerabilities</span></li><li role=none><a role=treeitem title="Official Istio resources for digital and printed materials." href=/v1.1/about/media-resources/>Media Resources</a></li><li role=treeitem aria-label="Contributing to the Docs"><button aria-hidden=true></button><a title="Learn how to contribute to improve and expand the Istio documentation." href=/v1.1/about/contribute/>Contributing to the Docs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows you how to use GitHub to work on Istio documentation." href=/v1.1/about/contribute/github/>Working with GitHub</a></li><li role=none><a role=treeitem title="Explains the mechanics of creating and maintaining documentation pages." href=/v1.1/about/contribute/creating-and-editing-pages/>Creating and Editing Pages</a></li><li role=none><a role=treeitem title="Explains the dos and donts of writing Istio documentation." href=/v1.1/about/contribute/style-guide/>Style Guide</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/about/ title="Get a bit more in-depth info about the Istio project.">About</a></li><li>Security Vulnerabilities</li></ol></nav><article aria-labelledby=title><div class=title-area><i class=title-icon><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#vulnerabilities"/></svg></i><div><h1 id=title>Security Vulnerabilities</h1><p class=byline><span title="437 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span>&nbsp;</span>3 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Reporting a vulnerability"><a href=#reporting-a-vulnerability>Reporting a vulnerability</a><ol><li role=none aria-label="When to report a security vulnerability?"><a href=#when-to-report-a-security-vulnerability>When to report a security vulnerability?</a><li role=none aria-label="When not to report a security vulnerability?"><a href=#when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</a></ol></li><li role=none aria-label=Evaluation><a href=#evaluation>Evaluation</a><li role=none aria-label="Fixing the issue"><a href=#fixing-the-issue>Fixing the issue</a><li role=none aria-label="Early disclosure"><a href=#early-disclosure>Early disclosure</a><li role=none aria-label="Public disclosure"><a href=#public-disclosure>Public disclosure</a></ol><hr></div></nav><p>We are very grateful to the security researchers and users that report
back Istio security vulnerabilities. We investigate every report thoroughly.</p><h2 id=reporting-a-vulnerability>Reporting a vulnerability</h2><p>To make a report, send an email to the private
<a href=mailto:vulnerabilities@discuss.istio.io><code>vulnerabilities@discuss.istio.io</code></a>
mailing list with the vulnerability details. For normal product bugs
unrelated to latent security vulnerabilities, please head to
our <a href=/v1.1/about/bugs/>Reporting Bugs</a> page to learn what to do.</p><h3 id=when-to-report-a-security-vulnerability>When to report a security vulnerability?</h3><p>Send us a report whenever you:</p><ul><li>Think Istio has a potential security vulnerability.</li><li>Are unsure whether or how a vulnerability affects Istio.</li><li>Think a vulnerability is present in another project that Istio
depends on. For example, Envoy, Docker, or Kubernetes.</li></ul><h3 id=when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</h3><p>Don&rsquo;t send a vulnerability report if:</p><ul><li>You need help tuning Istio components for security.</li><li>You need help applying security related updates.</li><li>Your issue is not security related.</li></ul><h2 id=evaluation>Evaluation</h2><p>The Istio security team acknowledges and analyzes each vulnerability report within three
work days.</p><p>Any vulnerability information you share with the Istio security team stays
within the Istio project. We don&rsquo;t disseminate the information to other
projects. We only share the information as needed to fix the issue.</p><p>We keep the reporter updated as the status of the security issue moves
from <code>triaged</code>, to <code>identified fix</code>, to <code>release planning</code>.</p><h2 id=fixing-the-issue>Fixing the issue</h2><p>Once a security vulnerability has been fully characterized, a fix is developed by the Istio team.
The development and testing for the fix happens in a private GitHub repository in order to prevent
premature disclosure of the vulnerability.</p><h2 id=early-disclosure>Early disclosure</h2><p>The Istio project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable
information to close Istio partners. The list is not intended for individuals to find out about security issues.</p><p>See <a href=https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md>Early Disclosure of Security Vulnerabilities</a> to get more information.</p><h2 id=public-disclosure>Public disclosure</h2><p>On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:</p><ul><li><p>Changes are merged from the private GitHub repository holding the fix into the appropriate set of public
branches.</p></li><li><p>Release engineers ensure all necessary binaries are promptly built and published.</p></li><li><p>Once the binaries are available, an announcement is sent out on the following channels:</p><ul><li>The <a href=/v1.1/blog>Istio blog</a></li><li>The <a href=https://discuss.istio.io/c/announcements>Announcements</a> category on discuss.istio.io</li><li>The <a href=https://twitter.com/IstioMesh>Istio Twitter feed</a></li><li>The <a href=https://istio.slack.com/messages/CFXS256EQ/>#announcements channel on Slack</a></li></ul></li></ul><p>As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to
upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday.
This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.</p></article><nav class=pagenav><div class=left><a title="What to do if you find a bug." href=/v1.1/about/bugs/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Reporting Bugs</a></div><div class=right><a title="Official Istio resources for digital and printed materials." href=/v1.1/about/media-resources/>Media Resources<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Reporting a vulnerability"><a href=#reporting-a-vulnerability>Reporting a vulnerability</a><ol><li role=none aria-label="When to report a security vulnerability?"><a href=#when-to-report-a-security-vulnerability>When to report a security vulnerability?</a><li role=none aria-label="When not to report a security vulnerability?"><a href=#when-not-to-report-a-security-vulnerability>When not to report a security vulnerability?</a></ol></li><li role=none aria-label=Evaluation><a href=#evaluation>Evaluation</a><li role=none aria-label="Fixing the issue"><a href=#fixing-the-issue>Fixing the issue</a><li role=none aria-label="Early disclosure"><a href=#early-disclosure>Early disclosure</a><li role=none aria-label="Public disclosure"><a href=#public-disclosure>Public disclosure</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.1.9<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink