ContextQMD
Back to Istio Io

Announcing Istio 1.12.5

content/en/news/releases/1.12.x/announcing-1.12.5/index.md

latest1.4 KB
Original Source

This release fixes the security vulnerabilities described in our March 9th post, ISTIO-SECURITY-2022-004. This release note describes what’s different between Istio 1.12.4 and 1.12.5.

{{< relnote >}}

Security update

  • CVE-2022-24726: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack due to stack exhaustion.

Changes

  • Fixed an issue with Delta CDS where a removed service port would persist after being updated. (Pull Request #37454)

  • Fixed an issue where CNI ignored traffic annotations. (Issue #37637)

  • Fixed a bug where cache entries were never updated. (Pull Request #37578)

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

  • CVE-2022-21656 (CVSS Score 3.1, Low):X.509 subjectAltName matching (and nameConstraints) bypass.

  • CVE-2022-21657 (CVSS Score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass.