Announcing Istio 1.12.2
Istio 1.12.2 patch release.
This release fixes security vulnerabilities described on January 18th (ISTIO-SECURITY-2022-001 and ISTIO-SECURITY-2022-002) and includes minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.12.1 and Istio 1.12.2.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
CVE-2022-21679: Istio versions 1.12.0 and 1.12.1 contain a vulnerability where configuration for proxies at version 1.11 is generated incorrectly, affecting the
notHostsfield in the authorization policy.
CVE-2022-21701: Istio versions 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have
gateways.gateway.networking.k8s.ioobjects can escalate this privilege to create other resources that they may not have access to, such as
Added privileged flag to Istio-CNI Helm charts to set
securityContextflag. (Issue #34211)
Fixed an issue where enabling tracing with telemetry API would cause a malformed host header being used at the trace report request. (Issue #35750)
istioctl pc logcommand label selector not selecting the default pod. (Issue #36182)
Fixed an issue where
istioctl analyzefalsely warned of a VirtualService prefix match overlap. (Issue #36245)
Fixed omitted setting
.Values.sidecarInjectiorWebhook.enableNamespacesByDefaultin the default revision mutating webhook and added –auto-inject-namespaces flag to
istioctl tagcontrolling this setting. (Issue #36258)
Fixed values in the Istio Gateway Helm charts for configuring annotations on the Service. Can be used to configure load balancer in public clouds. (Pull Request #36384)
Fixed the incorrect format of version and revision in the build info. (Pull Request #36409)
Fixed an issue where stale endpoints can be configured when a service gets deleted and created again. (Issue #36510)
Fixed an issue that sidecar iptables will cause intermittent connection reset due to the out of window packet. Introduced a flag
meshConfig.defaultConfig.proxyMetadata.INVALID_DROPto control this setting. (Issue #36489)
operator init --dry-runcreates unexpected namespaces. (Pull Request #36570)
Fixed an issue where setting
includeInboundPortswith helm values does not take effect. (Issue #36644)
Fixed endpoint slice cache memory leak. (Pull Request #36518)
Fixed changes in delegate virtual service not taking effect when RDS cache enabled. (Issue #36525)
Fixed an issue when using Envoy
EnvoyFilters. (Issue #36537)