This page lists the security bulletins for Istio on Google Kubernetes Engine
(Istio on GKE).
Use this XML feed to subscribe to Istio on GKE security bulletins.
The Envoy/Istio project recently
several new security vulnerabilities that affect Anthos Service Mesh and
Istio on Google Kubernetes Engine:
CVE-2021-28682: Envoy through 1.17.1 contains a remotely exploitable
integer overflow in which a very large grpc-timeout value leads to
unexpected timeout calculations.
CVE-2021-28683: Envoy through 1.17.1 contains a remotely exploitable
NULL pointer dereference and crash in TLS when an unknown TLS alert
code is received.
CVE-2021-29258: Envoy through 1.17.1 contains a remotely exploitable
vulnerability where an HTTP2 request with an empty metadata map can
cause Envoy to crash.
What should I do?
To fix these vulnerabilities, upgrade to the
latest patch release.
For instructions, see
Upgrading Istio on GKE.