An Alibaba Cloud Service Mesh (ASM) instance can use Envoy proxies to proxy HTTP/2 requests and responses. Attackers can send specially crafted packets to the ASM instance to force the Envoy proxies to consume excessive memory. This topic lists versions of Istio that contain the vulnerability and provides solutions.

For more information, visit ISTIO-SECURITY-2020-007.

Affected versions

The following versions of Istio contain the vulnerability:
  • Istio 1.5.x: 1.5.0 to 1.5.6
  • Istio 1.6.x: 1.6.0 to 1.6.3


  • If you use Istio 1.5.x, update the Istio version to 1.5.7 or later.
  • If you use Istio 1.6.x, update the Istio version to 1.6.4 or later.