Announcing Istio 1.9.5 - Istio Io

This release fixes the security vulnerabilities described in our May 11th posts, ISTIO-SECURITY-2021-005 and ISTIO-SECURITY-2021-006.

Security update

{{< tip >}} The first 2 CVEs are highly related. {{< /tip >}}

CVE-2021-31920: Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the ISTIO-SECURITY-2021-005 bulletin for more details.
- CVSS Score: 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2021-29492: Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms.
- CVSS Score: 8.3 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CVE-2021-31921: Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration. See the ISTIO-SECURITY-2021-006 bulletin for more details.
- CVSS Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Changes

Added security best practice for authorization policies

Breaking Changes

As part of the fixes for ISTIO-SECURITY-2021-006, the previously deprecated .global stub domain for multicluster will no longer work.

This change can be temporarily disabled if desired by setting the environment variable PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH=true in Istiod. However, this is strongly discouraged, as it negates the fix to ISTIO-SECURITY-2021-006.

Please follow the Multicluster Installation documentation for more information.