Security bulletins

This page lists the security bulletins for Istio on Google Kubernetes Engine (Istio on GKE).

Use this XML feed to subscribe to Istio on GKE security bulletins. Subscribe

GCP-2021-004

Published: 2021-05-07
Description Severity Notes

The Envoy/Istio project recently announced several new security vulnerabilities that affect Anthos Service Mesh and Istio on Google Kubernetes Engine:

  • CVE-2021-28682: Envoy through 1.17.1 contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
  • CVE-2021-28683: Envoy through 1.17.1 contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
  • CVE-2021-29258: Envoy through 1.17.1 contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash.

What should I do?

To fix these vulnerabilities, upgrade to the latest patch release. For instructions, see Upgrading Istio on GKE.

High

CVE-2021-28682
CVE-2021-28683
CVE-2021-29258