Forwarding to #general to ensure folks see this…
The Istio Product Security Committee would like to inform you that a vulnerability affecting all Istio versions released after 1.3 (included) has been discovered. Note that the 1.4-alpha and 1.4-beta releases are also affected.
This vulnerability has been discussed publicly as a “high CPU” or “100% CPU” bug, and as such is considered a 0-day vulnerability.
As we are working on a code fix to address this issue, we would like to share an existing workaround. The exploitation of that vulnerability can be prevented by customizing your Istio install (as described in https://istio.io/docs/reference/config/installation-options/#pilot-options ), using Helm to override the following options:
--set pilot.env.PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT=0s --set global.proxy.protocolDetectionTimeout=0s
Thanks,
Francois (on behalf of Istio’s PSC)