- ISTIO-SECURITY-2019-006 #5481
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
oaktowner
suggested changes
Nov 7, 2019
| --- | ||
|
|
||
| __ISTIO-SECURITY-2019-006__: Envoy, and subsequently Istio, are vulnerable to the following DoS attack: | ||
| * __[CVE-2019-18817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18817)__: An infinite loop can be triggered in Envoy’s code if the option `continue_on_listener_filters_timeout` is set to `True`. This is the case for Istio since the introduction of Protocol Detection feature. |
There was a problem hiding this comment.
s/This is the case/This has been the case
| ## Mitigation | ||
|
|
||
| * Workaound: | ||
| The exploitation of that vulnerability can be prevented by customizing Istio install (as described in https://istio.io/docs/reference/config/installation-options/#pilot-options ), using Helm to override the following options: |
There was a problem hiding this comment.
s/Istio install/the Istio installation
| ``` | ||
| --set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s | ||
| ``` | ||
| * We are going to release a fixed version of Istio very soon to address this vulnerability. |
There was a problem hiding this comment.
s/very soon/as soon as possible
fpesce
commented
Nov 7, 2019
fpesce
commented
Nov 7, 2019
geeknoid
reviewed
Nov 7, 2019
| @@ -0,0 +1,37 @@ | |||
| --- | |||
| title: Security Update - ISTIO-SECURITY-2019-006 | |||
| description: Security vulnerability disclosure for CVE-2019-XXXXX. | |||
added 2 commits
November 7, 2019 15:34
…into ISTIO-SECURITY-2019-006
sdake
reviewed
Nov 8, 2019
|
Meta comment... this is an announcement for a zero day vulnerability. The feedback suggestions should not block this PR. And please use github suggestions. The PR author can easily apply them to a PR and we can get this out faster. |
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
fpesce
commented
Nov 8, 2019
geeknoid
reviewed
Nov 8, 2019
| --- | ||
| title: Security Update - ISTIO-SECURITY-2019-006 | ||
| description: Security vulnerability disclosure for CVE-2019-18817. | ||
| publishdate: 2019-11-07 |
There was a problem hiding this comment.
Suggested change
| publishdate: 2019-11-07 | |
| publishdate: 2019-11-08 |
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
linsun
approved these changes
Nov 8, 2019
geeknoid
approved these changes
Nov 8, 2019
|
In response to a cherrypick label: #5481 failed to apply on top of branch "release-1.3": |
geeknoid
added a commit
that referenced
this pull request
Nov 8, 2019
* - ISTIO-SECURITY-2019-006 (#5481) * - ISTIO-SECURITY-2019-006 * - address linting process * Apply suggestions from code review * Add spelling * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> (cherry picked from commit 2607a9b) * Update .spelling
so-jelly
pushed a commit
to so-jelly/istio.io
that referenced
this pull request
Mar 14, 2020
* - ISTIO-SECURITY-2019-006 (istio#5481) * - ISTIO-SECURITY-2019-006 * - address linting process * Apply suggestions from code review * Add spelling * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> * Update content/en/news/2019/istio-security-2019-006/index.md * Update content/en/news/2019/istio-security-2019-006/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com> (cherry picked from commit 2607a9b) * Update .spelling
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.