Announcing Istio 1.4.7

Patch Release

March 25, 2020

This release contains fixes for the security vulnerabilities described in our March 25th, 2020 news post. This release note describes what’s different between Istio 1.4.6 and Istio 1.4.7.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security Update

ISTIO-SECURITY-2020-004 Istio uses a hard coded signing_key for Kiali.

CVE-2020-1764: Istio uses a default signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio. In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release.

Changes

Fixed an issue causing protocol detection to break HTTP2 traffic to gateways (Issue 21230).

Was this information useful?

Do you have any suggestions for improvement?

Thanks for your feedback!