距离 Istio 1.5 版本发布还有 天。

ISTIO-SECURITY-2019-007

Security Bulletin

安全漏洞详情
CVE(s)CVE-2019-18801
CVE-2019-18802
CVSS 影响评分9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
受影响的版本1.2 to 1.2.9
1.3 to 1.3.5
1.4 to 1.4.1

Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabilities:

  • CVE-2019-18801: This vulnerability affects Envoy’s HTTP/1 codec in its way it processes downstream’s requests with large HTTP/2 headers. A successful exploitation of this vulnerability could lead to a denial of Service, escalation of privileges, or information disclosure.

  • CVE-2019-18802: HTTP/1 codec incorrectly fails to trim whitespace after header values. This could allow an attacker to bypass Istio’s policy either for information disclosure or escalation of privileges.

Impact and detection

Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream’s requests are HTTP/2 while upstream’s are HTTP/1, then your cluster is vulnerable. We expect this to be true of most clusters.

Mitigation

  • For Istio 1.2.x deployments: update to a Istio 1.2.10 or later.
  • For Istio 1.3.x deployments: update to a Istio 1.3.6 or later.
  • For Istio 1.4.x deployments: update to a Istio 1.4.2 or later.

漏洞报告

希望大家遵循漏洞报告步骤,以报告任何可能会导致安全漏洞的 bug。

这些信息有用吗?
Do you have any suggestions for improvement?

Thanks for your feedback!