Main Vulnerability Database SB2019062817

SB2019062817 - Input validation error in Istio Istio

Published: June 28, 2019 Updated: July 17, 2020

Security Bulletin ID SB2019062817

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2019-12995)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.

Remediation

Install update from vendor's website.

References

https://github.com/istio/istio.io/pull/4555
https://github.com/istio/istio/issues/15084
https://istio.io/about/notes/