Log in Get started

Back to Istio Io

ISTIO-SECURITY-2020-005

content/en/news/security/istio-security-2020-005/index.md

latest1.1 KB

Original Source

{{< security_bulletin >}}

Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:

CVE-2020-10739: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
- CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Mitigation

For Istio 1.4.x deployments: update to Istio 1.4.9 or later.
For Istio 1.5.x deployments: update to Istio 1.5.4 or later.
Workaround: Alternatively, you can disable telemetry v2 by running the following:

{{< text bash >}} $ istioctl manifest apply --set values.telemetry.v2.enabled=false {{< /text >}}

Credit

We'd like to thank Joren Zandstra for the original bug report.

{{< boilerplate "security-vulnerability" >}}