If a Service Mesh (ASM) instance is enabled with telemetry V2, attackers can send specially crafted packets to the ASM instance to trigger null pointer exceptions, which causes service denials. This topic lists versions of Istio that contain the vulnerability and provides solutions.
Specially crafted packets may be sent to ingress gateways or sidecars. For more information, visit ISTIO-SECURITY-2020-005.
Affected versions
The following versions of Istio contain the vulnerability:
Istio 1.4.x: 1.4.0 to 1.4.8
Istio 1.5.x: 1.5.0 to 1.5.3
Solutions
If you use Istio 1.5.4 or an earlier version, update the Istio version to 1.5.5 or later.
Service Mesh (ASM) supports Istio 1.6.x. To prevent the vulnerability, update the Istio version to 1.6.2 and later for your ASM instances.
When you create an ASM instance in the ASM console, disable the Prometheus monitoring feature.