Istio 1.4.6 was released. Istio is a by Google, IBM and Lyft jointly develop open-source project aims to provide a unified micro-service connection, security, management and monitoring methods. Specifically, Istio service grid is an open-source platform, it ensures that micro-services in dealing with the failure to specify a way to connect with each other.
The new version is mainly a security update, updates are as follows:
- ISTIO-SECURITY-2020-003: Envoy has two uncontrolled consumption of resources and two incorrect access control vulnerabilities.
-2020-8659 CVE : when HTTP / 1.1 proxy request or response has many small (i.e., 1 byte) is, Envoy agent may consume excessive memory.
-2020-8660 CVE : Envoy agent comprising checker TLS, the client may use only TLS 1.3 bypass TLS checker (not recognize it as TLS client).
-2020-8661 CVE : when HTTP / 1.1 response to requests of the pipeline, Envoy agent may consume excessive memory.
-2020-8664 CVE : For Envoy agent of SDS TLS authentication context, only the first received confidential or change the value when calling update callback.
- This vulnerability only affects Istio 1.4.5 and earlier versions Istio certificate rotation mechanism of realization of the SDS, the premise is enabled only when the SDS and two-way TLS. By default, SDS is turned off, and must be explicitly enabled by the operator in all Istio in versions prior to 1.5 Istio. Istio load based on the default Kubernetes secret secret distribution implementation affected by this vulnerability.
Update Description: https://istio.io/news/releases/1.4.x/announcing-1.4.6/