ContextQMD
Back to Istio Io

Announcing Istio 1.13.2

content/en/news/releases/1.13.x/announcing-1.13.2/index.md

latest1.8 KB
Original Source

This release fixes the security vulnerabilities described in our March 9th post, ISTIO-SECURITY-2022-004. This release note describes what’s different between Istio 1.13.1 and 1.13.2.

{{< relnote >}}

Security update

  • CVE-2022-24726: (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack due to stack exhaustion.

Changes

  • Added an OpenTelemetry access log provider. (Issue #36637)

  • Added support for using default JSON access logs format with Telemetry API. (Issue #37663)

  • Fixed describe pod not showing the VirtualService info if the gateway is set to TLS ingress gateway. (Issue #35301)

  • Fixed an issue where traffic.sidecar.istio.io/includeOutboundPorts annotation does not take effect when using CNI. (Issue #37637)

  • Fixed an issue where when enabling Stackdriver metrics collection with the Telemetry API, logging was incorrectly enabled in certain scenarios. (Issue #37667)

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

  • CVE-2022-21656 (CVSS Score 3.1, Low):X.509 subjectAltName matching (and nameConstraints) bypass.

  • CVE-2022-21657 (CVSS Score 3.1, Low): X.509 Extended Key Usage and Trust Purposes bypass.