News

Select security bulletins, release announcements, or support announcements to stay up to date.

Announcing Istio 1.9.7

Istio 1.9.7 patch release.

Announcing Istio 1.10.3

Istio 1.10.3 patch release.

ISTIO-SECURITY-2021-007

Istio contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.

CVE(s): CVE-2021-34824
CVSS: 9.1
Affected versions: All 1.8 patch releases , 1.9.0 to 1.9.5 , 1.10.0 to 1.10.1

Announcing Istio 1.9.6

Istio 1.9.6 patch release.

Announcing Istio 1.10.2

Istio 1.10.2 patch release.

Announcing Istio 1.10.1

Istio 1.10.1 patch release.

Announcing Istio 1.10

Istio 1.10 release announcement.

Istio 1.10 Upgrade Notes

Important changes to consider when upgrading to Istio 1.10.0.

Istio 1.10 Change Notes

Istio 1.10.0 release notes.

Support for Istio 1.8 has ended

Istio 1.8 end of life announcement.

ISTIO-SECURITY-2021-006

An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

CVE(s): CVE-2021-31921
CVSS: 10
Affected versions: All releases prior to 1.8.6 , 1.9.0 to 1.9.4

ISTIO-SECURITY-2021-005

HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules.

CVE(s): CVE-2021-31920
CVSS: 8.1
Affected versions: All releases prior to 1.8.6 , 1.9.0 to 1.9.4

Announcing Istio 1.9.5

Istio 1.9.5 patch release.

Announcing Istio 1.8.6

Istio 1.8.6 patch release.

Announcing Istio 1.9.4

Istio 1.9.4 patch release.

ISTIO-SECURITY-2021-004

Potential misuse of mTLS-only fields in AuthorizationPolicy with plain text traffic.

CVE(s): N/A
CVSS: N/A
Affected versions: All releases 1.5 and later

ISTIO-SECURITY-2021-003

CVE(s): CVE-2021-28683 , CVE-2021-28682 , CVE-2021-29258
CVSS: 7.5
Affected versions: All releases prior to 1.8.5 , 1.9.0 to 1.9.2

Announcing Istio 1.9.3

Istio 1.9.3 patch release.

Announcing Istio 1.8.5

Istio 1.8.5 patch release.

Support for Istio 1.8 ends on May 12th, 2021

Upcoming Istio 1.8 end of life announcement.

ISTIO-SECURITY-2021-002

Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports.

CVE(s): N/A
CVSS: N/A
Affected versions: All releases 1.6 and later

Announcing Istio 1.9.2

Istio 1.9.2 patch release.

Announcing Istio 1.8.4

Istio 1.8.4 patch release.

ISTIO-SECURITY-2021-001

JWT authentication can be bypassed when AuthorizationPolicy is misused.

CVE(s): CVE-2021-21378
CVSS: 8.2
Affected versions: 1.9.0

Announcing Istio 1.9.1

Istio 1.9.1 patch release.

Support for Istio 1.7 has ended

Istio 1.7 end of life announcement.

Announcing Istio 1.7.8

Istio 1.7.8 patch release.

Announcing Istio 1.9

Istio 1.9 release announcement.

Istio 1.9 Upgrade Notes

Important changes to consider when upgrading to Istio 1.9.0.

Istio 1.9 Change Notes

Istio 1.9.0 release notes.

Announcing Istio 1.8.3

Istio 1.8.3 patch release.

Announcing Istio 1.7.7

Istio 1.7.7 patch release.

Support for Istio 1.7 ends on February 19th, 2021

Upcoming Istio 1.7 end of life announcement.

Announcing Istio 1.8.2

Istio 1.8.2 patch release.

Announcing Istio 1.7.6

Istio 1.7.6 patch release.

Announcing Istio 1.8.1

Istio 1.8.1 patch release.

Support for Istio 1.6 has ended

Istio 1.6 end of life announcement.

Announcing Istio 1.6.14

Istio 1.6.14 patch release.

ISTIO-SECURITY-2020-011

Envoy incorrectly restores the proxy protocol downstream address for non-HTTP connections.

CVE(s): N/A
CVSS: N/A
Affected versions: 1.8.0

Announcing Istio 1.8

Istio 1.8 release announcement.

Announcing Istio 1.7.5

Istio 1.7.5 patch release.

Istio 1.8 Upgrade Notes

Important changes to consider when upgrading to Istio 1.8.

Istio 1.8 Change Notes

Istio 1.8 release notes.

Announcing Istio 1.7.4

Istio 1.7.4 patch release.

Announcing Istio 1.6.13

Istio 1.6.13 patch release.

Support for Istio 1.6 ends on November 21st, 2020

Upcoming Istio 1.6 end of life announcement.

Announcing Istio 1.6.12

Istio 1.6.12 patch release.

ISTIO-SECURITY-2020-010

CVE(s): CVE-2020-25017
CVSS: 8.3
Affected versions: 1.6 to 1.6.10 , 1.7 to 1.7.2

Announcing Istio 1.7.3

Istio 1.7.3 security release.

Announcing Istio 1.6.11

Istio 1.6.11 security release.

Announcing Istio 1.6.10

Istio 1.6.10 patch release.

Announcing Istio 1.7.2

Istio 1.7.2 patch release.

Announcing Istio 1.7.1

Istio 1.7.1 patch release.

Announcing Istio 1.6.9

Istio 1.6.9 patch release.

Support for Istio 1.5 has ended

Istio 1.5 end of life announcement.

Announcing Istio 1.5.10

Istio 1.5.10 patch release.

Announcing Istio 1.7

Istio 1.7 release announcement.

Istio 1.7 Upgrade Notes

Important changes to consider when upgrading to Istio 1.7.

Istio 1.7 Change Notes

Istio 1.7 release notes.

ISTIO-SECURITY-2020-009

Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services.

CVE(s): CVE-2020-16844
CVSS: 6.8
Affected versions: 1.5 to 1.5.8 , 1.6 to 1.6.7

Announcing Istio 1.6.8

Istio 1.6.8 patch release.

Announcing Istio 1.5.9

Istio 1.5.9 security release.

Announcing Istio 1.6.7

Istio 1.6.7 patch release.

Announcing Istio 1.6.6

Istio 1.6.6 patch release.

Support for Istio 1.5 ends on August 21st, 2020

Upcoming Istio 1.5 end of life announcement.

ISTIO-SECURITY-2020-008

Incorrect validation of wildcard DNS Subject Alternative Names.

CVE(s): CVE-2020-15104
CVSS: 6.6
Affected versions: 1.5 to 1.5.7 , 1.6 to 1.6.4 , All releases prior to 1.5

Announcing Istio 1.6.5

Istio 1.6.5 patch release.

Announcing Istio 1.5.8

Istio 1.5.8 security release.

ISTIO-SECURITY-2020-007

Multiple denial of service vulnerabilities in Envoy.

CVE(s): CVE-2020-12603 , CVE-2020-12605 , CVE-2020-8663 , CVE-2020-12604
CVSS: 7.5
Affected versions: 1.5 to 1.5.6 , 1.6 to 1.6.3

Announcing Istio 1.6.4

Istio 1.6.4 security release.

Announcing Istio 1.5.7

Istio 1.5.7 security release.

Announcing Istio 1.4.10

Istio 1.4.10 security release.

Announcing Istio 1.6.3

Istio 1.6.3 patch release.

Announcing Istio 1.5.6

Istio 1.5.6 patch release.

ISTIO-SECURITY-2020-006

Denial of service in the HTTP2 library used by Envoy.

CVE(s): CVE-2020-11080
CVSS: 7.5
Affected versions: 1.4 to 1.4.9 , 1.5 to 1.5.4 , 1.6 to 1.6.1

Announcing Istio 1.6.2

Istio 1.6.2 security release.

Announcing Istio 1.5.5

Istio 1.5.5 security release.

Support for Istio 1.4 has ended

Istio 1.4 end of life announcement.

Announcing Istio 1.6.1

Istio 1.6.1 patch release.

Announcing Istio 1.6

Istio 1.6 release announcement.

Istio 1.6 Upgrade Notes

Important changes to consider when upgrading to Istio 1.6.

Istio 1.6 Change Notes

Istio 1.6 release notes.

Announcing Istio 1.5.4

Istio 1.5.4 security release.

ISTIO-SECURITY-2020-005

Denial of service affecting telemetry v2.

CVE(s): CVE-2020-10739
CVSS: 7.5
Affected versions: 1.4 to 1.4.8 , 1.5 to 1.5.3

Announcing Istio 1.5.3

Istio 1.5.3 security release.

Announcing Istio 1.4.9

Istio 1.4.9 patch release.

Support for Istio 1.4 ends on June 5th, 2020

Upcoming Istio 1.4 end of life announcement.

Announcing Istio 1.5.2

Istio 1.5.2 patch release.

Announcing Istio 1.4.8

Istio 1.4.8 patch release.

ISTIO-SECURITY-2020-004

Default Kiali security configuration allows full control of mesh.

CVE(s): CVE-2020-1764
CVSS: 8.7
Affected versions: 1.4 to 1.4.6 , 1.5

Announcing Istio 1.5.1

Istio 1.5.1 patch release.

Announcing Istio 1.4.7

Istio 1.4.7 patch release.

Announcing Istio 1.5

Istio 1.5 release announcement.

Istio 1.5 Upgrade Notes

Important changes to consider when upgrading to Istio 1.5.

Isito 1.5 Change Notes

Istio 1.5 release notes.

ISTIO-SECURITY-2020-003

Two uncontrolled resource consumption and two incorrect access control vulnerabilities in Envoy.

CVE(s): CVE-2020-8659 , CVE-2020-8660 , CVE-2020-8661 , CVE-2020-8664
CVSS: 7.5
Affected versions: 1.4 to 1.4.5

Announcing Istio 1.4.6

Istio 1.4.6 patch release.

Announcing Istio 1.4.5

Istio 1.4.5 patch release.

Support for Istio 1.3 has ended

Istio 1.3 end of life announcement.

ISTIO-SECURITY-2020-002

Mixer policy check bypass caused by improperly accepting certain request headers.

CVE(s): CVE-2020-8843
CVSS: 7.4
Affected versions: 1.3 to 1.3.6

ISTIO-SECURITY-2020-001

Authentication Policy bypass.

CVE(s): CVE-2020-8595
CVSS: 9.0
Affected versions: 1.3 to 1.3.7 , 1.4 to 1.4.3

Announcing Istio 1.4.4

Istio 1.4.4 patch release.

Announcing Istio 1.3.8

Istio 1.3.8 patch release.

Announcing Istio 1.3.7

Istio 1.3.7 patch release.

Support for Istio 1.3 ends on February 14th, 2020

Upcoming Istio 1.3 end of life announcement.

Announcing Istio 1.4.3

Istio 1.4.3 patch release.

Support for Istio 1.2 has ended

Istio 1.2 end of life announcement.

ISTIO-SECURITY-2019-007

Heap overflow and improper input validation in Envoy.

CVE(s): CVE-2019-18801 , CVE-2019-18802
CVSS: 9.0
Affected versions: 1.2 to 1.2.9 , 1.3 to 1.3.5 , 1.4 to 1.4.1

Announcing Istio 1.4.2

Istio 1.4.2 patch release.

Announcing Istio 1.3.6

Istio 1.3.6 patch release.

Announcing Istio 1.2.10

Istio 1.2.10 patch release.

Announcing Istio 1.4.1

Istio 1.4.1 patch release.

Announcing Istio 1.4

Istio 1.4 release announcement.

Istio 1.4 Upgrade Notes

Important changes to consider when upgrading to Istio 1.4.

Istio 1.4 Change Notes

Istio 1.4 release notes.

Support for Istio 1.2 ends on December 13th, 2019

Upcoming Istio 1.2 end of life announcement.

Announcing Istio 1.3.5

Istio 1.3.5 patch release.

ISTIO-SECURITY-2019-006

Denial of service.

CVE(s): CVE-2019-18817
CVSS: 7.5
Affected versions: 1.3 to 1.3.4

Announcing Istio 1.2.9

Istio 1.2.9 patch release.

Announcing Istio 1.3.4

Istio 1.3.4 patch release.

Announcing Istio 1.2.8

Istio 1.2.8 patch release.

Support for Istio 1.1 has ended

Istio 1.1 end of life announcement.

Announcing Istio 1.1.17

Istio 1.1.17 patch release.

Announcing Istio 1.3.3

Istio 1.3.3 patch release.

ISTIO-SECURITY-2019-005

Denial of service caused by the presence of numerous HTTP headers in client requests.

CVE(s): CVE-2019-15226
CVSS: 7.5
Affected versions: 1.1 to 1.1.15 , 1.2 to 1.2.6 , 1.3 to 1.3.1

Announcing Istio 1.3.2

Istio 1.3.2 patch release.

Announcing Istio 1.2.7

Istio 1.2.7 patch release.

Announcing Istio 1.1.16

Istio 1.1.16 patch release.

Announcing Istio 1.3.1

Istio 1.3.1 patch release.

Announcing Istio 1.2.6

Istio 1.2.6 patch release.

Announcing Istio 1.1.15

Istio 1.1.15 patch release.

Announcing Istio 1.3

Istio 1.3 release announcement.

Istio 1.3 Helm Changes

Details the Helm chart installation options differences between Istio 1.2 and Istio 1.3.

Istio 1.3 Upgrade Notes

Important changes to consider when upgrading to Istio 1.3.

Istio 1.3 Change Notes

Istio 1.3 release notes.

Istio 1.2.4 sidecar image vulnerability

An erroneous 1.2.4 sidecar image was available due to a faulty release operation.

Affected versions: 1.2 to 1.2.4

Announcing Istio 1.2.5

Istio 1.2.5 patch release.

Announcing Istio 1.1.14

Istio 1.1.14 patch release.

Support for Istio 1.1 ends on September 19th, 2019

Upcoming Istio 1.1 end of life announcement.

ISTIO-SECURITY-2019-004

Multiple denial of service vulnerabilities related to HTTP2 support in Envoy.

CVE(s): CVE-2019-9512 , CVE-2019-9513 , CVE-2019-9514 , CVE-2019-9515 , CVE-2019-9518
CVSS: 7.5
Affected versions: 1.1 to 1.1.12 , 1.2 to 1.2.3

ISTIO-SECURITY-2019-003

Denial of service in regular expression parsing.

CVE(s): CVE-2019-14993
CVSS: 7.5
Affected versions: 1.1 to 1.1.12 , 1.2 to 1.2.3

Announcing Istio 1.2.4

Istio 1.2.4 patch release.

Announcing Istio 1.1.13

Istio 1.1.13 patch release.

Announcing Istio 1.2.3

Istio 1.2.3 patch release.

Announcing Istio 1.1.12

Istio 1.1.12 patch release.

Announcing Istio 1.1.11

Istio 1.1.11 patch release.

ISTIO-SECURITY-2019-002

Denial of service affecting JWT access token parsing.

CVE(s): CVE-2019-12995
CVSS: 7.5
Affected versions: 1.0 to 1.0.8 , 1.1 to 1.1.9 , 1.2 to 1.2.1

Announcing Istio 1.2.2

Istio 1.2.2 patch release.

Announcing Istio 1.1.10

Istio 1.1.10 patch release.

Announcing Istio 1.0.9

Istio 1.0.9 patch release.

Announcing Istio 1.2.1

Istio 1.2.1 patch release.

Support for Istio 1.0 has ended

Istio 1.0 end of life announcement.

Announcing Istio 1.2

Istio 1.2 release announcement.

Istio 1.2 Helm Changes

Details the Helm chart installation options differences between Istio 1.1 and Istio 1.2.

Istio 1.2 Upgrade Notes

Important changes operators must understand before upgrading to Istio 1.2.

Istio 1.2 Change Notes

Istio 1.2 release notes.

Announcing Istio 1.1.9

Istio 1.1.9 patch release.

Announcing Istio 1.0.8

Istio 1.0.8 patch release.

Announcing Istio 1.1.8

Istio 1.1.8 patch release.

ISTIO-SECURITY-2019-001

Incorrect access control.

CVE(s): CVE-2019-12243
CVSS: 8.9
Affected versions: 1.1 to 1.1.6

Support for Istio 1.0 ends on June 19th, 2019

Upcoming Istio 1.0 end of life announcement.

Announcing Istio 1.1.7

Istio 1.1.7 patch release.

Announcing Istio 1.1.6

Istio 1.1.6 patch release.

Announcing Istio 1.1.5

Istio 1.1.5 patch release.

Announcing Istio 1.1.4

Istio 1.1.4 patch release.

Announcing Istio 1.1.3

Istio 1.1.3 patch release.

Announcing Istio 1.1.2 with Important Security Update

Istio 1.1.2 patch release.

Announcing Istio 1.0.7 with Important Security Update

Istio 1.0.7 patch release.

Announcing Istio 1.1.1

Istio 1.1.1 patch release.

Announcing Istio 1.1

Istio 1.1 release announcement.

Istio 1.1 Helm Changes

Details the Helm chart installation options differences between Istio 1.0 and Istio 1.1.

Istio 1.1 Upgrade Notes

Important changes operators must understand before upgrading to Istio 1.1.

Istio 1.1 Change Notes

Istio 1.1 release notes.

Announcing Istio 1.0.6

Istio 1.0.6 patch release.

Announcing Istio 1.0.5

Istio 1.0.5 patch release.

Announcing Istio 1.0.4

Istio 1.0.4 patch release.

Announcing Istio 1.0.3

Istio 1.0.3 patch release.

Announcing Istio 1.0.2

Istio 1.0.2 patch release.

Announcing Istio 1.0.1

Istio 1.0.1 patch release.

Announcing Istio 1.0

Istio is ready for production use with its 1.0 release.

Announcing Istio 0.8

Istio 0.8 announcement.

Announcing Istio 0.7

Istio 0.7 announcement.

Announcing Istio 0.6

Istio 0.6 announcement.

Announcing Istio 0.5

Istio 0.5 announcement.

Announcing Istio 0.4

Istio 0.4 announcement.

Announcing Istio 0.3

Istio 0.3 announcement.

Announcing Istio 0.2

Istio 0.2 announcement.

Introducing Istio

Istio 0.1 announcement.