Security Vulnerabilities

    To make a report, send an email to the private mailing list with the vulnerability details. For normal product bugs unrelated to latent security vulnerabilities, please head to our Reporting Bugs page to learn what to do.

    Send us a report whenever you:

    • Think Istio has a potential security vulnerability.
    • Are unsure whether or how a vulnerability affects Istio.
    • Think a vulnerability is present in another project that Istio depends on. For example, Envoy, Docker, or Kubernetes.

    When in doubt, please disclose privately. This includes, but is not limited to:

    • Any crash, especially in Envoy
    • Any security policy (like Authentication or Authorization) bypass or weakness
    • Any potential Denial of Service (DoS)

    When not to report a security vulnerability?

    Don’t send a vulnerability report if:

    • You need help tuning Istio components for security.
    • Your issue is not security related.
    • Your issue is related to base image dependencies (see )

    Evaluation

    The Istio security team acknowledges and analyzes each vulnerability report within three work days.

    We keep the reporter updated as the status of the security issue moves from , to , to .

    Once a security vulnerability has been fully characterized, a fix is developed by the Istio team. The development and testing for the fix happens in a private GitHub repository in order to prevent premature disclosure of the vulnerability.

    Early disclosure

    The Istio project maintains a mailing list for private early disclosure of security vulnerabilities. The list is used to provide actionable information to close Istio partners. The list is not intended for individuals to find out about security issues.

    See to get more information.

    On the day chosen for public disclosure, a sequence of activities takes place as quickly as possible:

    • Release engineers ensure all necessary binaries are promptly built and published.

    • Once the binaries are available, an announcement is sent out on the following channels:

    As much as possible this announcement will be actionable, and include any mitigating steps customers can take prior to upgrading to a fixed version. The recommended target time for these announcements is 16:00 UTC from Monday to Thursday. This means the announcement will be seen morning Pacific, early evening Europe, and late evening Asia.

    Base Images

    Istio offers two sets of docker images, based on (default) and based on (see ). These base images occasionally have CVEs. The Istio security team has automated scanning to ensure base images are kept free of CVEs.

    When CVEs are detected in our images, new images are automatically built and used for all future builds. Additionally, the security team analyzes the vulnerabilities to see if they are exploitable in Istio directly. In most cases, these vulnerabilities may be present in packages within the base image, but are not exploitable in the way Istio uses them. For these cases, new releases will not typically be released just to resolve these CVEs, and the fixes will be included in the next regularly scheduled release.

    The distroless base images are strongly encouraged if reducing base image CVEs is important to you.