Disclosure Details CVE(s) CVE-2023-27496 CVE-2023-27488 CVE-2023-27493 CVE-2023-27492 CVE-2023-27491 CVE-2023-27487 CVSS Impact Score 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Affected Releases All releases prior to 1.15.0 1.15.0 to 1.15.6 1.16.0 to 1.16.3 1.17.0 to 1.17.1 CVE Envoy CVEs CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header x-envoy-original-path. CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received. CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers. CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter. CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values. CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter. Am I Impacted? You may be at risk if you have an Istio gateway or if you use external istiod.

Disclosure Details CVE(s) CVE-2022-23635 CVE-2021-43824 CVE-2021-43825 CVE-2021-43826 CVE-2022-21654 CVE-2022-21655 CVE-2022-23606 CVSS Impact Score 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Releases All releases prior to 1.11.0 1.11.0 to 1.11.6 1.12.0 to 1.12.3 1.13.0 CVE CVE-2022-23635 CVE-2022-23635: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack. The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially multicluster topologies, this port is exposed over the public internet. Envoy CVEs At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent. CVE ID Score, Rating Description Fixed in 1.13.1 Fixed in 1.12.4 Fixed in 1.11.7 CVE-2021-43824 6.5, Medium Potential null pointer dereference when using JWT filter safe_regex match. Yes Yes Yes CVE-2021-43825 6.1, Medium Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits. Yes Yes Yes CVE-2021-43826 6.1, Medium Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment. Yes Yes Yes CVE-2022-21654 7.3, High Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed. Yes Yes Yes CVE-2022-21655 7.5, High Incorrect handling of internal redirects to routes with a direct response entry. Yes Yes Yes CVE-2022-23606 4.4, Moderate Stack exhaustion when a cluster is deleted via Cluster Discovery Service. Yes Yes N/A CVE-2022-21656 3.1, Low X.509 subjectAltName matching (and nameConstraints) bypass. No, next release. No, next release. Envoy did not backport this fix. CVE-2022-21657 3.1, Low X.509 Extended Key Usage and Trust Purposes bypass No, next release. No, next release. No, next release. Am I Impacted? You are at most risk if you are running Istio in a multi-cluster environment, or if you have exposed your istiod externally. Credit We would like to thank Adam Korczynski (ADA Logics) and John Howard (Google) for the report and the fix.

This release fixes the security vulnerabilities described in our August 24th post, ISTIO-SECURITY-2021-008 as well as a few minor bug fixes to improve robustness. This release note describes what’s different between Istio 1.10.3 and 1.10.4. BEFORE YOU UPGRADE Things to know and prepare before upgrading. DOWNLOAD Download and install this release. DOCS Visit the documentation for this release. SOURCE CHANGES Inspect the full set of source code changes. Security updates CVE-2021-39155 (CVE-2021-32779): Istio authorization policies incorrectly compare the host header in a case-sensitive manner, whereas RFC 4343 states it should be case-insensitive. Envoy routes the request hostname in a case-insensitive way, which means the authorization policy could be bypassed. CVSS Score: 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L CVE-2021-39156: Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (e.g. #Section) in the path may bypass Istio’s URI path based authorization policies. CVSS Score: 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Envoy Security updates CVE-2021-32777 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an HTTP request with multiple value headers may bypass authorization policies when using the ext_authz extension. CVE-2021-32778 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests may lead to excessive CPU consumption. CVE-2021-32780 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability where an untrusted upstream service may cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0. Note: this vulnerability does not impact downstream client connections. CVE-2021-32781 (CVSS score 8.6, High): Envoy contains a remotely exploitable vulnerability that affects Envoy’s decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy extension beyond the internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally. Changes Added a validator to prevent for empty regex match. (Issue #34065) Added a new analyzer to check for image: auto in Pods and Deployments that will not be injected. Fixed a bug where having multiple gateways on the same port with SIMPLE and PASSTHROUGH modes does not work correctly. (Issue #33405) Fixed a bug in Kubernetes Ingress causing paths with prefixes of the form /foo to match the route /foo/ but not the route /foo.