Istio has issued a security update for its eponymous service mesh after realising that a bug that was fixed in its most recent release, actually constituted a security vulnerability.
The bug was originally thought to be “impacting the TCP Authorization feature advertised as alpha stability, which would not have required invoking this security advisory process” Istio explained.
However, it continued, “we later realized that the Deny Checker and List Checker feature were affected and those are considered stable features.”
The bug-turned-flaw had been fixed in the most recent release, but the project team spotted the vulnerability during a review of the Istio 1.1.7 release notes. Istio 1.1.7 was released earlier this month.
To be affected, as well as running one of the affected releases, you would need to have disablePolicyChecks set to false, be running a workload that isn#t using HTTP, HTTP/2, or gRPC protocols, and be using a mixer adapter to provide authorization for your backend TCP service.
The flakey code was introduced in Istio 1.1, and all releases through to 1.1.6 are affected. Users of 1.1 and above are advised to upgrade to 1.1.7. Users of 1.0.x are unaffected, but as support for v1.0 is due to end on June 19, with no more backporting for fixes for security issues after then, everybody is probably going to want to update.