Announcing Istio 1.6.4

Patch Release

June 30, 2020

This release fixes the security vulnerability described in our June 30th, 2020 news post.

This release note describes what’s different between Istio 1.6.4 and Istio 1.6.3.

Things to know and prepare before upgrading.

Download and install this release.

Visit the documentation for this release.

Inspect the full set of source code changes.

Security update

CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.
- CVSS Score: 7.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.
- CVSS Score: 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Was this information useful?

Do you have any suggestions for improvement?

Thanks for your feedback!