Announcing Istio 1.16.7

This release fixes the security vulnerabilities described in our July 25th post, ISTIO-SECURITY-2023-003.

This release note describes what’s different between Istio 1.16.6 and 1.16.7.

This is the last release of Istio 1.16.

{{< relnote >}}

Security update

• CVE-2023-35941: (CVSS Score 8.6, High): OAuth2 credentials exploit with permanent validity.
• CVE-2023-35942: (CVSS Score 6.5, Moderate): gRPC access log crash caused by the listener draining.
• CVE-2023-35943: (CVSS Score 6.3, Moderate): CORS filter segfault when origin header is removed.
• CVE-2023-35944: (CVSS Score 8.2, High): Incorrect handling of HTTP requests and responses with mixed case schemes in Envoy.