The team behind service mesh Istio has released version 1.1.13 and 1.2.4 of the project to mitigate vulnerabilities that could be used for denial of service attacks.
The issues tackled are mostly down to problems in the Envoy proxy Istio uses to intercept network communication. The project for example has a yet to be closed issue concerning the matching of regular expressions, which can lead to services crashing because of large URIs. Since this can be exploited for denial of service attacks, Istio users employing regular expressions in APIs like JWT or VirtualService are vulnerable as well.
Envoy can also be brought down by some HTTP/2-based DoS attacks which use flooding to create out of memory conditions, which naturally has consequences for Istio.
According to the Istio blog, all versions seem to be affected by the issues mentioned, given that those prior to 1.1 aren’t supported anymore and considered vulnerable anyway, and the list of exposed releases pretty much encompasses the complete catalogue from v1.1 to 1.2.3.
The vulnerabilities are inventoried as ISTIO-SECURITY-2019-003 and ISTIO-SECURITY-2019-004 and score a solid 7.5 out of 10 overall (10 being the most severe) in the Common Vulnerability Scoring System. Both can have a high impact on a systems availability, that’s DoS for you, so an update is recommended.
However, updating always is a process, so if you want to check whether your deployments are really vulnerable before getting started, the Istio team has come up with a command to see if you used regular expressions in your APIs. Regarding the HTTP/2 exploits, you should be safe if your Istio is fronted by something like an HTTP load balancer that terminates HTTP. But make sure it isn’t itself vulnerable.
Istio is a platform-independent service mesh that was introduced by Google, IBM, and Lyft back in 2017. It can be used to create service networks that offer capabilities such as load balancing, monitoring, authentication and access control.
The open source project celebrated its first major release on 31 July 2018. Since then, the Istio team has tried to concentrate on project infrastructure and stability, making the project more maintainable. For the upcoming v1.3 for example, the release managers are working on a way to reduce manual tests. The team is also working on Istio’s usability, which sounds like a solid idea given the number of competing projects such as Kong, Linkerd, and Consul.