Announcing Istio 1.17.2
Istio 1.17.2 patch release.
This release fixes the security vulnerabilities described in our April 4th post, ISTIO-SECURITY-2023-001. This release note describes what’s different between Istio 1.17.1 and 1.17.2.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header
CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
Added support for pushing additional federated trust domains from
caCertificatesto the peer SAN validator. (Issue #41666)
Fixed overwriting label
istio.io/revin injected gateways when
istio.io/rev=<tag>. (Issue #33237)
Fixed an issue where you could not disable tracing in
ProxyConfig. (Issue #31809)
Fixed admission webhook fails with custom header value format. (Issue #42749)
Fixed a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for
SERVERwill not affect each other. (Issue #43371)
Fixed an issue where
Cluster.ConnectTimeoutwas affecting unrelated
Clusters. (Issue #43435)
Fixed a bug in
istioctl analyzewhere some messages are missed when there are services with no selector in the analyzed namespace. (PR #43678)
Fixed resource namespace resolution for
istioctlcommands. (Issue #43691)
Fixed an issue where auto allocated service entry IPs change on host reuse. (Issue #43858)
Fixed an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17. (Issue #43785)
Fixed reconciliation logic in the validation webhook controller to rate-limit the retries in the loop. This should drastically reduce churn (and generated logs) in cases of misconfiguration. (Issue #32210)
Fixed an issue causing VMs using auto-registration to ignore labels other than those defined in a
WorkloadGroup. (PR #44012)
istioctl experimental waithas undecipherable message when
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGis not enabled. (Issue #42967)