Announcing Istio 1.10.4
Istio 1.10.4 patch release.
This release fixes the security vulnerabilities described in our August 24th post, ISTIO-SECURITY-2021-008 as well as a few minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.10.3 and 1.10.4.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
CVE-2021-39155 (CVE-2021-32779): Istio authorization policies incorrectly compare the host header in a case-sensitive manner, whereas RFC 4343 states it should be case-insensitive. Envoy routes the request hostname in a case-insensitive way, which means the authorization policy could be bypassed.
- CVSS Score: 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CVE-2021-39156: Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (e.g. #Section) in the path may bypass Istio’s URI path based authorization policies.
- CVSS Score: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Envoy Security updates
CVE-2021-32777 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an HTTP request with multiple value headers may bypass authorization policies when using the
CVE-2021-32778 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests may lead to excessive CPU consumption.
CVE-2021-32780 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an untrusted upstream service may cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the
SETTINGS_MAX_CONCURRENT_STREAMSparameter set to 0. Note: this vulnerability does not impact downstream client connections.
CVE-2021-32781 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy extension beyond the internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally.
Added a validator to prevent for empty regex match. (Issue #34065)
Added a new analyzer to check for
image: autoin Pods and Deployments that will not be injected.
Fixed a bug where having multiple gateways on the same port with
PASSTHROUGHmodes does not work correctly. (Issue #33405)
Fixed a bug in Kubernetes Ingress causing paths with prefixes of the form
/footo match the route
/foo/but not the route