diff --git a/.spelling b/.spelling index 29ccecc87f9d..78f1634b787b 100644 --- a/.spelling +++ b/.spelling @@ -425,6 +425,8 @@ CVE-2025-30157 CVE-2025-46821 CVE-2025-54588 CVE-2025-55162 +CVE-2025-62409 +CVE-2025-62504 CVEs cves cvss diff --git a/content/en/news/security/istio-security-2025-002/index.md b/content/en/news/security/istio-security-2025-002/index.md index a832a0655b8a..0418a09c8028 100644 --- a/content/en/news/security/istio-security-2025-002/index.md +++ b/content/en/news/security/istio-security-2025-002/index.md @@ -1,12 +1,12 @@ --- -title: ISTIO-SECURITY-2025-001 +title: ISTIO-SECURITY-2025-002 subtitle: Security Bulletin description: CVEs reported by Envoy. cves: [CVE-2025-55162, CVE-2025-54588] -cvss: "7.5" -vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" -releases: ["1.27.0", "1.26.0 to 1.26.3", "1.25.0 to 1.25.4"] -publishdate: 2025-09-03 +cvss: "6.6" +vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" +releases: ["1.27.0 to 1.27.1", "1.26.0 to 1.26.5"] +publishdate: 2025-10-20 keywords: [CVE] skip_seealso: true --- @@ -17,9 +17,10 @@ skip_seealso: true ### Envoy CVEs -- __[CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh)__: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag -- __[CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw)__: (CVSS score 7.5, High): Use after free in DNS cache +- __[CVE-2025-62504](https://nvd.nist.gov/vuln/detail/CVE-2025-62504)__: (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash. +- __[CVE-2025-62409](https://nvd.nist.gov/vuln/detail/CVE-2025-62409)__: (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash. ## Am I Impacted? -You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix `__Secure-` or `__Host-`, or you are using `EnvoyFilter` with `dynamic_forward_proxy`. +You are impacted if you use Lua via `EnvoyFilter` that returns an oversized response body exceeding the `per_connection_buffer_limit_bytes` (default 1MB) or where you have large requests +and responses where a connection can be closed but data from upstream is still being sent.