ISTIO-SECURITY-2020-005
Security Bulletin
Disclosure Details | |
---|---|
CVE(s) | CVE-2020-10739 |
CVSS Impact Score | 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Releases | 1.4 to 1.4.8 1.5 to 1.5.3 |
Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:
- CVE-2020-10739:
By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
- CVSS Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Mitigation
- For Istio 1.4.x deployments: update to Istio 1.4.9 or later.
- For Istio 1.5.x deployments: update to Istio 1.5.4 or later.
- Workaround: Alternatively, you can disable telemetry v2 by running the following:
$ istioctl manifest apply --set values.telemetry.v2.enabled=false
Credit
We’d like to thank Joren Zandstra
for the original bug report.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.