content/en/news/releases/1.15.x/announcing-1.15.7/index.md
This release fixes the security vulnerabilities described in our April 4th post, ISTIO-SECURITY-2023-001. This release note describes what’s different between Istio 1.15.6 and 1.15.7.
{{< relnote >}}
CVE-2023-27487: (CVSS Score 8.2, High):
Client may fake the header x-envoy-original-path.
CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn't escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
Fixed an issue where you could not change PrivateKeyProvider using proxy-config.
(Issue #41760)
Fixed an issue where istioctl analyze was throwing a SIGSEGV when the optional field 'filter'
was missing under the EnvoyFilter.ListenerMatch.FilterChainMatch section.
(Issue #42831)
Fixed an issue where EnvoyFilter for Cluster.ConnectTimeout was affecting unrelated Clusters.
(Issue #43435)