Reasons to update Istio: CVEs fixed since 1.9.0

A list of security vulnerabilities that highlight the necessity to keep Istio up to date.

**1.9.1:**
A[ zero-day security vulnerability](https://groups.google.com/g/envoy-security-announce/c/Hp16L27L00Q) was fixed in the version of Envoy shipped with Istio 1.9.0. This vulnerability was fixed on February 26th, 2021.

**1.9.3:**
Fixes the security vulnerabilities described in their [blog post](https://istio.io/latest/news/security/istio-security-2021-003)

- [CVE-2021-28683](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28683): Envoy contains a remotely exploitable NULL pointer dereference and crash in TLS when an unknown TLS alert code is received.
  - CVSS Score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1)
- [CVE-2021-28682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28682): Envoy contains a remotely exploitable integer overflow in which a very large grpc-timeout value leads to unexpected timeout calculations.
  - CVSS Score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1)
- [CVE-2021-29258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29258): Envoy contains a remotely exploitable vulnerability where an HTTP2 request with an empty metadata map can cause Envoy to crash.
  - CVSS Score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1)

**1.9.5:**
Fixes the security vulnerabilities described in the blog posts [ISTIO-SECURITY-2021-005](https://istio.io/latest/news/security/istio-security-2021-005) and [ISTIO-SECURITY-2021-006](https://istio.io/latest/news/security/istio-security-2021-006)

- [ CVE-2021-31920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31920): Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the [ISTIO-SECURITY-2021-005](https://istio.io/latest/news/security/istio-security-2021-005) bulletin for more details.
  - CVSS Score: 8.1 [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
- [CVE-2021-29492](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29492): Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy’s authorization mechanisms.
  - CVSS Score: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
- [CVE-2021-31921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31921): Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration. See the [ISTIO-SECURITY-2021-006 bulletin](https://istio.io/latest/news/security/istio-security-2021-006) for more details.
  - CVSS Score: 10.0 [AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

/cc @yanniszark 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Reasons to update Istio: CVEs fixed since 1.9.0 #1893

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Reasons to update Istio: CVEs fixed since 1.9.0 #1893

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions