ISTIO-SECURITY-2019-007

Heap overflow and improper input validation in Envoy.

Dec 10, 2019

Disclosure Details
CVE(s)CVE-2019-18801
CVE-2019-18802
CVSS Impact Score9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Releases1.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1

Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabilities:

Impact and detection

Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream’s requests are HTTP/2 while upstream’s are HTTP/1, then your cluster is vulnerable. We expect this to be true of most clusters.

Mitigation

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.