Istio finds pair of critical vulnerabilities, issues trio of updates

Istio security
Istio security

Istio has rushed out updates for all three of its series to fix a brace of newly discovered critical vulnerabilities in Envoy that could leave customers with exposed clusters.

The Istio team said the first vulnerability affects Envoy’s HTTP/1 codec and how it processes downstream’s requests with large HTTP/2 headers.

“A successful exploitation of this vulnerability could lead to a denial of Service, escalation of privileges, or information disclosure,” it warns.

The second vulnerability means the HTTP/1 codec fails to trim whitespace after header values.

The upshot is, “This could allow an attacker to bypass Istio’s policy either for information disclosure or escalation of privileges.”

All three Istio series are affected – including 1.2.x, support for which is due to end this Friday. Yes, Friday the 13th, and if that’s not a signal to upgrade quick, we don’t know what is.

So, 1.2.x users should jump onto the just released 1.2.19 or later. Istio 1.3.x users should jump onto 1.3.6 or later, while 1.4.x deployments should be switched to 1.4.2 or later.

Istio 1.3.6 also gets a brace of bug fixes, and improved load shedding options for Mixer. Istio 1.4.2 meanwhile adds a fix to ensure Citadel automatically rotates root cert.