A vulnerability was found in all versions of istio/envoy, v1.4.8 (running Telemetry v2 non-default) and v1.5.2 (running Telemetry v2 by default). A remote attacker may send a specially crafted packet to the ingress gateway or sidecar, triggering a null pointer exception which results in a denial of service.
Acknowledgments: Name: the Envoy Security Team
External References: https://istio.io/news/security/istio-security-2020-005/
Upstream patch: https://github.com/istio/envoy/commit/8788a3cf255b647fd14e6b5e2585abaaedb28153#diff-fcf2cf5dd389b5285f882ba4a8708633
Mitigation: Leave the telemetry reporting in OpenShift ServiceMesh set to the default component Mixer, leaving Telemetry V2 as disabled.
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2148 https://access.redhat.com/errata/RHSA-2020:2148
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10739