nghttp2 is a C library intended as an implementation of HTTP/2. nghttp2 earlier than version 1.41.0 has a security vulnerability. Attackers can use a malicious client to construct a SETTINGS frame with a length of 14,400 bytes, which causes service denials. Istio deploys Envoy proxies as sidecars, which use HTTP/2 libraries. As a result, the preceding vulnerability exists in Istio. This topic lists versions of Istio that contain the vulnerability and provides solutions.

Attackers can cause the CPU to spike at 100% by sending specially crafted packets. The packets may be sent to the ingress gateway or a sidecar. For more information, visit ISTIO-SECURITY-2020-006.

Affected versions

The following versions of Istio contain the vulnerability:
  • Istio 1.5.x: 1.5.0, 1.5.1, 1.5.2, 1.5.3, and 1.5.4
  • Istio 1.6.x: 1.6.0 and 1.6.1

Solutions

  • If you use Istio 1.5.4 or an earlier version, update the Istio version to 1.5.5 or later.
  • Alibaba Cloud Service Mesh (ASM) supports Istio 1.6.x. To prevent the vulnerability, update the Istio version to 1.6.2 and later for your ASM instances.