days to Istio 1.5

Security Bulletins

Disclosed security vulnerabilities and their mitigation.

DisclosureDateAffected ReleasesImpact ScoreRelated
ISTIO-SECURITY-2019-007December 10, 20191.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1
9.0Heap overflow and improper input validation in Envoy
ISTIO-SECURITY-2019-006November 7, 20191.3 to 1.3.4
7.5Denial of service
ISTIO-SECURITY-2019-005October 8, 20191.1 to 1.1.15
1.2 to 1.2.6
1.3 to 1.3.1
7.5Denial of service caused by the presence of numerous HTTP headers in client requests
Istio 1.2.4 sidecar image vulnerabilitySeptember 10, 20191.2 to 1.2.4
An erroneous 1.2.4 sidecar image was available due to a faulty release operation
ISTIO-SECURITY-2019-003August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Denial of service in regular expression parsing
ISTIO-SECURITY-2019-004August 13, 20191.1 to 1.1.12
1.2 to 1.2.3
7.5Multiple denial of service vulnerabilities related to HTTP2 support in Envoy
ISTIO-SECURITY-2019-002June 28, 20191.0 to 1.0.8
1.1 to 1.1.9
1.2 to 1.2.1
7.5Denial of service affecting JWT access token parsing
ISTIO-SECURITY-2019-001May 28, 20191.1 to 1.1.6
8.9Incorrect access control