Announcing Istio 1.11.8

This release fixes the security vulnerabilities described in our March 9th post, ISTIO-SECURITY-2022-004. This release note describes what’s different between Istio 1.11.7 and 1.11.8.

{{< relnote >}}

Security update

• CVE-2022-24726: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack due to stack exhaustion.

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

• CVE-2022-21657 (CVSS Score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass.