#VU30627 Infinite loop in Istio


Published: 2019-11-12 | Updated: 2020-07-17

Vulnerability identifier: #VU30627

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18817

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Istio
Web applications / Other software

Vendor: Istio

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Istio 1.3.x before 1.3.5 allows Denial of Service because continue_on_listener_filters_timeout is set to True, a related issue to CVE-2019-18836.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Istio: 1.3 - 1.3.4

External links
http://github.com/istio/istio/issues/18229
http://istio.io/news/2019/announcing-1.3.5/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Infinite loop in Istio Istio