Security bulletins

This page lists the security bulletins for Istio on Google Kubernetes Engine (Istio on GKE).

Use this XML feed to subscribe to Istio on GKE security bulletins. Subscribe

GCP-2022-007

Description Severity Notes

Istiod crashes upon receiving requests with a specially crafted authorization header.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • All Istio on GKE versions are impacted by this CVE.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

High

CVE-2022-23635

Description Severity Notes

Potential null pointer dereference when using JWT filter safe_regex match.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • Although Istio on GKE does not support Envoy filters, you could be impacted if you use JWT filter regex.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

Medium

CVE-2021-43824

Description Severity Notes

Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • Although Istio on GKE does not support Envoy filters, you could be impacted if you use a decompress filter.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

Medium

CVE-2021-43825

Description Severity Notes

Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • Although Istio on GKE does not support Envoy filters, you could be impacted if you use a tunneling filter.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

Medium

CVE-2021-43826

Description Severity Notes

Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • All Istio on GKE services using mTLS are impacted by this CVE.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

High

CVE-2022-21654

Description Severity Notes

Incorrect handling of internal redirects to routes with a direct response entry.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE patch versions earlier than 1.6.14-gke.9, 1.4.11-gke.4, or 1.4.10-gke.23.
  • Although Istio on GKE does not support Envoy filters, you could be impacted if you use a direct response filter.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.6.14-gke.9
  • 1.4.11-gke.4
  • 1.4.10-gke.23

If you are using GKE 1.22 or higher, please use Istio on GKE 1.4.10. Otherwise, use Istio on GKE 1.4.11.

High

CVE-2022-21655

GCP-2021-016

Published: 2021-08-24
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass Istio's URI path-based authorization policies.

For example, an Istio authorization policy denies requests sent to the URI path /user/profile. In the vulnerable versions, a request with the URI path /user/profile#section1 bypasses the deny policy and routes to the backend (with the normalized URI path /user/profile%23section1, which leads to a security incident.

This fix depends on a fix in Envoy, which is associated with CVE-2021-32779.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

Mitigation

Upgrade your cluster to the following patched version:

  • 1.6.14-gke.5

With the new version, the fragment part of the request's URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.

Opt-out

If you opt-out of this new behavior, the fragment section in the URI is kept. To opt-out, you can configure your installation as follows:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: opt-out-fragment-cve-fix
  namespace: istio-system
spec:
  meshConfig:
    defaultConfig:
      proxyMetadata:
        HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false"

Note: Opting out of this behavior makes your system vulnerable to this CVE.

High

CVE-2021-39156

Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request could potentially bypass an Istio authorization policy when using rules based on hosts or notHosts.

In the vulnerable versions, the Istio authorization policy compares the HTTP Host or :authority headers in a case-sensitive manner, which is inconsistent with RFC 4343. For example, the user could have an authorization policy that rejects requests with host secret.com, but the attacker can bypass this by sending the request at hostname Secret.com. The routing flow routes the traffic to the backend for secret.com, which causes a security incident.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Istio on GKE 1.6 with patch versions earlier than 1.6.14-gke.5. (Istio on GKE 1.4 is not impacted because its authorization policy denies all traffic by default and does not support notHosts.)
  • It uses authorization policies with DENY actions based on operation.hosts, or ALLOW actions based on operation.notHosts.
Mitigation

Upgrade your cluster to the following patched version:

  • 1.6.14-gke.5

This mitigation makes sure that the HTTP Host or :authority headers are evaluated against the hosts or notHosts specs in the authorization policies in a case-insensitive manner.

High

CVE-2021-39155

Description Severity Notes

Envoy contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do incomplete authorization policy check when the ext_authz extension is used. When a request header contains multiple values, the external authorization server will only see the last value of the given header.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses patch versions earlier than 1.4.10-gke.17 or 1.6.14-gke.5.
  • It uses the Istio on GKE external authorization (ext_authz) extension.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.4.10-gke.17
  • 1.6.14-gke.5

High

CVE-2021-32777

Description Severity Notes

Envoy contains a remotely exploitable vulnerability that affects Envoy's decompressor, json-transcoder, or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy's extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses patch versions earlier than 1.4.10-gke.17 or 1.6.14-gke.5.
  • It uses EnvoyFilter.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.4.10-gke.17
  • 1.6.14-gke.5

High

CVE-2021-32781

GCP-2021-004

Published: 2021-05-07
Description Severity Notes

The Envoy/Istio project recently announced several new security vulnerabilities that affect Anthos Service Mesh and Istio on Google Kubernetes Engine:

  • CVE-2021-28682: Envoy through 1.17.1 contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
  • CVE-2021-28683: Envoy through 1.17.1 contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
  • CVE-2021-29258: Envoy through 1.17.1 contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash.

What should I do?

To fix these vulnerabilities, upgrade to the latest patch release. For instructions, see Upgrading Istio on GKE.

High

CVE-2021-28682
CVE-2021-28683
CVE-2021-29258