Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Published: 2020-06-02
Updated: 2024-11-21
Summary
Istio 1.4.x before 1.4.9 and Istio 1.5.x before 1.5.4 contain the following vulnerability when telemetry v2 is enabled: by sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar, triggering a null pointer exception which results in a denial of service. This also affects servicemesh-proxy where a null pointer exception flaw was found in servicemesh-proxy. When running Telemetry v2 (not on by default in version 1.4.x), an attacker could send a specially crafted packet to the ingress gateway or proxy sidecar, triggering a denial of service.
Vulnerable Configurations
Part | Description | Count |
Application | Istio | 25 |
Common Weakness Enumeration (CWE)
Nessus
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2020-2148.NASL |
description | The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:2148 advisory. - istio/envoy: crafted packet allows remote attacker to cause denial of service (CVE-2020-10739) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-06-04 |
modified | 2020-05-14 |
plugin id | 136586 |
published | 2020-05-14 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/136586 |
title | RHEL 8 : Red Hat OpenShift Service Mesh 1.1.2 Service Mesh Proxy (RHSA-2020:2148) |
Redhat
rpms | servicemesh-proxy-0:1.1.2-2.el8 |