ISTIO-SECURITY-2020-005

Security Bulletin

Disclosure Details
CVE(s) CVE-2020-10739
CVSS Impact Score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases 1.4 to 1.4.8
1.5 to 1.5.3

Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:

  • CVE-2020-10739: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.

Mitigation

  • For Istio 1.4.x deployments: update to Istio 1.4.9 or later.
  • For Istio 1.5.x deployments: update to Istio 1.5.4 or later.
  • Workaround: Alternatively, you can disable telemetry v2 by running the following:
$ istioctl manifest apply --set values.telemetry.v2.enabled=false

Credit

We’d like to thank Joren Zandstra for the original bug report.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!