Announcing Istio 1.4.4

Patch Release

This release includes bug fixes to improve robustness and user experience as well as a fix for the security vulnerability described in our February 11th, 2020 news post. This release note describes what’s different between Istio 1.4.3 and Istio 1.4.4.

Security update

  • ISTIO-SECURITY-2020-001 An improper input validation has been discovered in AuthenticationPolicy.

CVE-2020-8595: A bug in Istio’s Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token.

Bug fixes

  • Fixed Debian packaging of iptables scripts (Issue 19615).
  • Fixed an issue where Pilot generated a wrong Envoy configuration when the same port was used more than once (Issue 19935).
  • Fixed an issue where running multiple instances of Pilot could lead to a crash (Issue 20047).
  • Fixed a potential flood of configuration pushes from Pilot to Envoy when scaling the deployment to zero (Issue 17957).
  • Fixed an issue where Mixer could not fetch the correct information from the request/response when pod contains a dot in its name (Issue 20028).
  • Fixed an issue where Pilot sometimes would not send a correct pod configuration to Envoy (Issue 19025).
  • Fixed an issue where sidecar injector with SDS enabled was overwriting pod securityContext section, instead of just patching it (Issue 20409).

Improvements

  • Improved Better compatibility with Google CA. (Issues 20530, 20560).
  • Improved Added analyzer error message when Policies using JWT are not configured properly (Issues 20884, 20767).
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!