Security Bulletins

Disclosed security vulnerabilities and their mitigation.

Disclosure Date Affected Releases Impact Score Related
ISTIO-SECURITY-2020-008 July 9, 2020 1.5 to 1.5.7
1.6 to 1.6.4
All releases prior to 1.5
6.6 Incorrect validation of wildcard DNS Subject Alternative Names
ISTIO-SECURITY-2020-007 June 30, 2020 1.5 to 1.5.6
1.6 to 1.6.3
7.5 Multiple denial of service vulnerabilities in Envoy
ISTIO-SECURITY-2020-006 June 11, 2020 1.4 to 1.4.9
1.5 to 1.5.4
1.6 to 1.6.1
7.5 Denial of service in the HTTP2 library used by Envoy
ISTIO-SECURITY-2020-005 May 12, 2020 1.4 to 1.4.8
1.5 to 1.5.3
7.5 Denial of service affecting telemetry v2
ISTIO-SECURITY-2020-004 March 25, 2020 1.4 to 1.4.6
1.5
8.7 Default Kiali security configuration allows full control of mesh
ISTIO-SECURITY-2020-003 March 3, 2020 1.4 to 1.4.5
7.5 Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy
ISTIO-SECURITY-2020-002 February 11, 2020 1.3 to 1.3.6
7.4 Mixer policy check bypass caused by improperly accepting certain request headers
ISTIO-SECURITY-2020-001 February 11, 2020 1.3 to 1.3.7
1.4 to 1.4.3
9.0 Authentication Policy bypass
ISTIO-SECURITY-2019-007 December 10, 2019 1.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0 Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006 November 7, 2019 1.3 to 1.3.4
7.5 Denial of service
ISTIO-SECURITY-2019-005 October 8, 2019 1.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5 Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerability September 10, 2019 1.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-004 August 13, 2019 1.1 to 1.1.12
1.2 to 1.2.3
7.5 Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-003 August 13, 2019 1.1 to 1.1.12
1.2 to 1.2.3
7.5 Denial of service in regular expression parsing
ISTIO-SECURITY-2019-002 June 28, 2019 1.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5 Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001 May 28, 2019 1.1 to 1.1.6
8.9 Incorrect access control