ISTIO-SECURITY-2019-006: DoS affecting Istio 1.3.x versions

The Istio Product Security Committee would like to inform you that a vulnerability affecting all Istio versions released after 1.3 (included) has been discovered. Note that the 1.4-alpha and 1.4-beta releases are also affected.

This vulnerability has been discussed publicly as a “high CPU” or “100% CPU” bug, and as such is considered a 0-day vulnerability.

As we are working on a code fix to address this issue, we would like to share an existing workaround. The exploitation of that vulnerability can be prevented by customizing your Istio install (as described in ), using Helm to override the following options:

--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s


Francois (on behalf of Istio’s PSC)


What does these changes mean? 0s means “no timeout” at all, doesn’t it?


@dontreboot Istio 1.3.5 with a security fix has been released today, so you can upgrade to this version.

What are the implications are the changes? When are the proper fixes be out?

@dontreboot 1.3.5 contains the proper fixes (i.e. the timeout workaround are only required for 1.3 to 1.3.4 included).