RATATOSKRATATOSK
ログイン

Istio

1.28.8Networking & Messaging
2026年6月5日

Istio 1.28.8 patches a high-severity DoS CVE in Envoy's HTTP/2 memory handling, plus three bug fixes covering TLS delivery, route filter status reporting, and a nasty ambient mode health policy contamination bug.

  • securityPatch CVE-2026-47774 immediately if you expose HTTP/2 endpoints

    An unauthenticated attacker can crash your Envoy sidecars by sending specially crafted HTTP/2 requests that bypass header size validation — cookie bytes aren't counted properly, and HPACK limits apply only to encoded size, not decoded. Any cluster accepting external or untrusted HTTP/2 traffic is at risk. Upgrade to 1.28.8 now. If you can't upgrade immediately, consider adding Envoy-level request header size limits or WAF rules to filter malformed HTTP/2 frames as a temporary measure.

  • breakingAudit ambient mode clusters using publishNotReadyAddresses with zonal traffic distribution

    If you run ambient mode and any Service sets publishNotReadyAddresses:true alongside PreferSameZone or PreferSameNode, you've likely been routing traffic to not-ready endpoints across your entire cluster — not just for that Service, but for every Service sharing the same traffic-distribution preset. This is a silent data-plane correctness bug. After upgrading, verify endpoint health behavior across affected Services and check whether any downstream systems received traffic from unhealthy pods during the window this was active.

  • enhancementFix for silent route filter drops enables reliable config debugging

    Previously, HTTPRoute or GRPCRoute filters with invalid header values would vanish from Envoy config without any status signal — making it nearly impossible to diagnose why traffic wasn't behaving as expected. Now Istio reports an invalid filter status, which surfaces in the Gateway API resource status. After upgrading, re-check any routes you may have debugged by guesswork; the explicit status message will clarify whether a header filter was rejected.

主な変更 (4)

  • CVE-2026-47774 (CVSS 7.5): Unauthenticated attackers can exhaust Envoy memory via crafted HTTP/2 requests exploiting gaps in cookie header accounting and HPACK decoded size limits
  • HTTPS listeners on ListenerSet with manual Gateway deployment now correctly deliver TLS certificates
  • HTTPRoute/GRPCRoute filters with invalid header values now report an invalid filter status instead of silently disappearing from Envoy config
  • Critical ambient mode fix: a Service with publishNotReadyAddresses:true plus PreferSameZone/PreferSameNode no longer poisons healthPolicy for all other Services sharing the same traffic-distribution preset