nghttp2 is a C library intended as an implementation of HTTP/2. nghttp2 earlier than version 1.41.0 has a security vulnerability. Attackers can use a malicious client to construct a SETTINGS frame with a length of 14,400 bytes, which causes service denials. Istio deploys Envoy proxies as sidecars, which use HTTP/2 libraries. As a result, the preceding vulnerability exists in Istio. This topic lists versions of Istio that contain the vulnerability and provides solutions.
Attackers can cause the CPU to spike at 100% by sending specially crafted packets. The packets may be sent to the ingress gateway or a sidecar. For more information, visit ISTIO-SECURITY-2020-006.
Affected versions
The following versions of Istio contain the vulnerability:
Istio 1.5.x: 1.5.0, 1.5.1, 1.5.2, 1.5.3, and 1.5.4
Istio 1.6.x: 1.6.0 and 1.6.1
Solutions
If you use Istio 1.5.4 or an earlier version, update the Istio version to 1.5.5 or later.
Service Mesh (ASM) supports Istio 1.6.x. To prevent the vulnerability, update the Istio version to 1.6.2 and later for your ASM instances.