ISTIO-SECURITY-2019-006: DoS affecting Istio all 1.3.x versions

Forwarding to #general to ensure folks see this…

The Istio Product Security Committee would like to inform you that a vulnerability affecting all Istio versions released after 1.3 (included) has been discovered. Note that the 1.4-alpha and 1.4-beta releases are also affected.

This vulnerability has been discussed publicly as a “high CPU” or “100% CPU” bug, and as such is considered a 0-day vulnerability.

As we are working on a code fix to address this issue, we would like to share an existing workaround. The exploitation of that vulnerability can be prevented by customizing your Istio install (as described in https://istio.io/docs/reference/config/installation-options/#pilot-options ), using Helm to override the following options:

--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s

Thanks,

Francois (on behalf of Istio’s PSC)

I think this should go to the Anouncement channel so people can subscribe that channel to get notifications. There are too many messages under General and Security.