istio.io/content/en/news/2019/announcing-1.1.13/index.md

title	subtitle	description	publishdate	release	aliases
Announcing Istio 1.1.13	Patch Release	Istio 1.1.13 patch release.	2019-08-13	1.1.13	/about/notes/1.1.13 /blog/2019/announcing-1.1.13 /news/announcing-1.1.13

We're pleased to announce the availability of Istio 1.1.13. Please see below for what's changed.

{{< relnote >}}

Security update

This release contains fixes for the security vulnerabilities described in our August 13th, 2019 news post. Specifically:

ISTIO-SECURITY-2019-003: An Envoy user reported publicly an issue (c.f. Envoy Issue 7728) about regular expressions matching that crashes Envoy with very large URIs.

• CVE-2019-14993: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: JWT, VirtualService, HTTPAPISpecBinding, QuotaSpecBinding.

ISTIO-SECURITY-2019-004: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:

• CVE-2019-9512: HTTP/2 flood using PING frames and queuing of response PING ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
• CVE-2019-9513: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
• CVE-2019-9514: HTTP/2 flood using HEADERS frames with invalid HTTP headers and queuing of response RST_STREAM frames that results in unbounded memory growth (which can lead to out of memory conditions).
• CVE-2019-9515: HTTP/2 flood using SETTINGS frames and queuing of SETTINGS ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
• CVE-2019-9518: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
• See this security bulletin for more information

Nothing else is included in this release except for the above security fixes.