Security Update - ISTIO-SECURITY-2019-006
ISTIO-SECURITY-2019-006: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:
- CVE-2019-18817: An infinite loop can be triggered in Envoy if the option
continue_on_listener_filters_timeoutis set to
True. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3 A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoy’s CPU resources and causing a denial-of-service attack.
Affected Istio releases
The following Istio releases are vulnerable:
- 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4
Overall CVSS score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
Vulnerability impact and detection
Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.
- Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in installation options ), using Helm to override the following options:
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
- We are going to release a fixed version of Istio as soon as possible to address this vulnerability.
We'd like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.