Security Update - ISTIO-SECURITY-2019-006

ISTIO-SECURITY-2019-006: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:

  • CVE-2019-18817: An infinite loop can be triggered in Envoy if the option continue_on_listener_filters_timeout is set to True. This has been the case for Istio since the introduction of the Protocol Detection feature in Istio 1.3 A remote attacker may trivially trigger that vulnerability, effectively exhausting Envoy’s CPU resources and causing a denial-of-service attack.

Affected Istio releases

The following Istio releases are vulnerable:

  • 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4

Impact score

Overall CVSS score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

Vulnerability impact and detection

Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.

Mitigation

  • Workaround: The exploitation of that vulnerability can be prevented by customizing Istio installation (as described in installation options ), using Helm to override the following options:
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
  • We are going to release a fixed version of Istio as soon as possible to address this vulnerability.

We'd like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.