ISTIO-SECURITY-2019-006: DoS affecting Istio 1.3.x versions

Francois · November 7, 2019, 4:24pm

The Istio Product Security Committee would like to inform you that a vulnerability affecting all Istio versions released after 1.3 (included) has been discovered. Note that the 1.4-alpha and 1.4-beta releases are also affected.

This vulnerability has been discussed publicly as a “high CPU” or “100% CPU” bug, and as such is considered a 0-day vulnerability.

As we are working on a code fix to address this issue, we would like to share an existing workaround. The exploitation of that vulnerability can be prevented by customizing your Istio install (as described in https://istio.io/docs/reference/config/installation-options/#pilot-options ), using Helm to override the following options:

--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s

Thanks,

Francois (on behalf of Istio’s PSC)

dontreboot · November 11, 2019, 10:48pm

What does these changes mean? 0s means “no timeout” at all, doesn’t it?

Francois · November 11, 2019, 11:11pm

Yes.

@dontreboot Istio 1.3.5 with a security fix has been released today, so you can upgrade to this version.

dontreboot · November 11, 2019, 11:35pm

What are the implications are the changes? When are the proper fixes be out?

Francois · November 11, 2019, 11:55pm

@dontreboot 1.3.5 contains the proper fixes (i.e. the timeout workaround are only required for 1.3 to 1.3.4 included).

Topic		Replies	Views
Istio 1.9.1 is now available Announcements	2	503	March 4, 2021
Istio Proxy2 Version 1.13.2 - Vulnerability Security	3	764	April 12, 2022
Can istio proxy version mismatch cause issues?	0	400	January 3, 2020
Upcoming Istio v1.18.1, v1.17.4, and v1.16.6 Security Releases Announcements	2	651	July 17, 2023
Upcoming Istio v1.11.7, v1.12.4 and v1.13.1 Security Releases Announcements	0	1514	February 8, 2022

ISTIO-SECURITY-2019-006: DoS affecting Istio 1.3.x versions

Related Topics