If an Alibaba Cloud Service Mesh (ASM) instance is enabled with telemetry V2, attackers can send specially crafted packets to the ASM instance to trigger null pointer exceptions, which causes service denials. This topic lists versions of Istio that contain the vulnerability and provides solutions.

Specially crafted packets may be sent to ingress gateways or sidecars. For more information, visit ISTIO-SECURITY-2020-005.

Affected versions

The following versions of Istio contain the vulnerability:
  • Istio 1.4.x: 1.4.0 to 1.4.8
  • Istio 1.5.x: 1.5.0 to 1.5.3

Solutions

  • If you use Istio 1.5.4 or an earlier version, update the Istio version to 1.5.5 or later.
  • Alibaba Cloud Service Mesh (ASM) supports Istio 1.6.x. To prevent the vulnerability, update the Istio version to 1.6.2 and later for your ASM instances.
  • When you create an ASM instance in the ASM console, disable the Prometheus monitoring feature.Metrics