Input validation error in Istio

#VU31036 Input validation error in Istio

Published: 2019-06-28 | Updated: 2020-07-17

Vulnerability identifier: #VU31036

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12995

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Istio
Web applications / Other software

Vendor: Istio

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwt_authenticator.cc segmentation fault.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Istio: 1.2.1

External links
http://github.com/istio/istio.io/pull/4555
http://github.com/istio/istio/issues/15084
http://istio.io/about/notes/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in Istio Istio