ISTIO-SECURITY-2020-006

Security Bulletin

Disclosure Details
CVE(s) CVE-2020-11080
CVSS Impact Score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases 1.4 to 1.4.9
1.5 to 1.5.4
1.6 to 1.6.1

A vulnerability affecting the HTTP2 library used by Envoy has been fixed and publicly disclosed (c.f. Denial of service: Overly large SETTINGS frames ). Unfortunately Istio did not benefit from a responsible disclosure process.

Mitigation

HTTP2 support could be disabled on the Ingress Gateway as a temporary workaround using the following configuration for example (Note that HTTP2 support at ingress can be disabled if you are not exposing gRPC services through ingress):


apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: disable-ingress-h2
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER # http connection manager is a filter in Envoy
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: HTTP1
  • For Istio 1.4.x deployments: update to Istio 1.4.10 or later.
  • For Istio 1.5.x deployments: update to Istio 1.5.5 or later.
  • For Istio 1.6.x deployments: update to Istio 1.6.2 or later.

Credit

We’d like to thank Michael Barton for bringing this publicly disclosed vulnerability to our attention.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!