π Recommended Actions
β οΈ Action Required
Immediate patching is strongly recommended to address critical security vulnerabilities, especially the JWKS private key leak and XDS debug endpoint authentication bypass. Review all updates to ensure smooth operation and leverage new features.
π Summary
Istio 1.29.1 delivers crucial security fixes, fortifying your mesh against potential exploits. This release patches a critical JWKS private key leak, preventing attackers from forging JWT tokens, and tightens authentication on XDS debug endpoints. Gateway API users will appreciate enhanced CORS wildcard handling and robust backend policy dependency tracking. For ambient mode, a panic with cross-network WorkloadEntries has been resolved, along with a fix for TLS inspection on exclusively TLS ports, improving routing reliability. Deployments now correctly handle null or zero resource limits, eliminating validation errors. Additional improvements include IP allocator stability, SSRF protection in WasmPlugin image fetching, and various nil-pointer dereference fixes, ensuring a more resilient and secure Istio experience. Upgrade promptly to secure your environment.
π Critical Security Fix: JWKS Private Key Leak (ISTIO-SECURITY-TBD)
π Security Advisory
CVE ID: ISTIO-SECURITY-TBD
CVSS Score: 8.7 (High)
This release addresses a critical security vulnerability where Istio’s JWT authentication fallback mechanism could inadvertently leak an RSA private key. Previously, if JWKS (JSON Web Key Set) fetching failed due to network issues or invalid URLs, Istio would fall back to a hardcoded, publicly available JWKS that unfortunately included a complete RSA keypair. This flaw allowed sophisticated attackers to extract the private key from Istio’s source code or Envoy configuration dumps and then forge arbitrary, valid JWT tokens, completely bypassing authentication during the failure window. This fix is paramount for maintaining the integrity of your authentication layer.
The vulnerable FakeJwks constant has been replaced with PublicOnlyJwks. This new JWKS contains only a public RSA key, where the corresponding private key was generated once and immediately discarded, making it cryptographically impossible to forge JWTs that validate against it. This change ensures a secure ‘fail-closed’ behavior, preventing authentication bypass even when JWKS fetching encounters issues.
Source:
π Enhanced Security for XDS Debug Endpoints
Istio 1.29.1 significantly hardens the security of XDS debug endpoints, preventing unauthorized access to sensitive configuration information. Previously, critical debug endpoints like /debug/syncz and /debug/config_dump were accessible without authentication on the plaintext XDS port (15010), posing a significant information disclosure risk. This update ensures that access to these endpoints now requires proper authentication, aligning their security posture with the general security guidelines for debug interfaces.
Authentication is now enforced for XDS debug endpoints (/debug/syncz, /debug/config_dump) on port 15010 when the ENABLE_DEBUG_ENDPOINT_AUTH feature flag is enabled (which it is by default). Unauthenticated requests will now be rejected with an Unauthenticated gRPC error. Furthermore, a new environment variable, DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES, has been introduced. This allows administrators to specify a comma-separated list of additional namespaces that are authorized to access debug endpoints, beyond the istio-system namespace, providing more granular control without compromising security.
Source:
pilot/pkg/xds/statusgen.go(76-80)pilot/pkg/features/pilot.go(103-112)pilot/pkg/xds/debug.go(323-324)releasenotes/notes/statusgen-xds-auth.yaml(1-21)releasenotes/notes/xds-debug-namespace-auth.yaml(1-6)
π Fix for Null/Zero Resource Limits in Deployments
Previously, setting resource limits or requests (e.g., CPU, memory) to null or 0 in Istio configuration, particularly for proxy injection, gateway generation, or Helm chart deployments, would lead to validation errors. This issue stemmed from Helm’s toYaml function, which serializes null values directly into the YAML, causing Kubernetes to reject the resource definitions. This fix ensures that null or 0 values for resource limits are correctly handled, allowing for more flexible and predictable resource assignments.
A new omitNil template function has been introduced and integrated into Istio’s Helm charts and injection templates. This function recursively removes nil values from maps and slices before they are rendered into Kubernetes manifests. For instance, if you define a proxy resource limit with cpu: null, the omitNil function will remove the cpu field entirely from the generated YAML, preventing validation failures. This change streamlines resource configuration, especially when you want to omit certain resource constraints.
Source:
pkg/kube/inject/template.go(410-461)manifests/charts/gateway/templates/_helpers.tpl(38-42)releasenotes/notes/fix-null-resource-limits.yaml(1-8)
β¨ Improved Gateway API CORS Policy Handling
This release significantly improves how Istio’s Gateway API implementation processes Cross-Origin Resource Sharing (CORS) policies, particularly when dealing with wildcard origins. Developers can now define more flexible and accurate CORS rules using wildcards, which are correctly translated into Envoy’s regex-based origin matching. This enhancement ensures that HTTPRoute resources with sophisticated CORS requirements behave as expected, reducing configuration complexities and improving interoperability with modern web applications.
The createCorsFilter function now correctly translates various wildcard patterns in HTTPCORSFilter.AllowOrigins to Envoy’s StringMatch regex. This includes support for direct * (matching any valid origin), *.domain.com (using prefix matching for efficiency), and more complex *-based patterns (converted to full regex). Additionally, the UnmatchedPreflights field is explicitly set to IGNORE, which aligns with typical CORS behavior to avoid rejecting preflight requests that don’t precisely match configured origins but are still valid. This prevents unexpected denials for preflight requests.
Source:
pilot/pkg/config/kube/gateway/conversion.go(1234-1305)releasenotes/notes/59018.yaml(1-7)releasenotes/notes/59026.yaml(1-6)
π Ambient Mesh Stability: Cross-Network WorkloadEntry and TLS Inspector Fixes
For users leveraging Istio’s ambient mesh, this release brings crucial stability and functional improvements. A critical panic occurring when cross-network WorkloadEntries were present without multi-network ambient enabled has been resolved, making ambient mode more robust in diverse network setups. Additionally, a long-standing issue where the TLS inspector was not correctly added to waypoint listeners with only TLS ports has been fixed. This ensures that SNI-based routing functions reliably even when all inbound traffic is secured with TLS, preventing failures in wildcard ServiceEntry configurations.
The panic related to cross-network WorkloadEntries has been fixed by adjusting the workloadEntryWorkloadBuilder and podWorkloadBuilder in ambient mesh’s workload processing. Now, remote network workloads are correctly identified and their precomputation is skipped if AMBIENT_ENABLE_MULTI_NETWORK is disabled, preventing nil-pointer dereferences. The TLS inspector fix in pilot/pkg/networking/core/listener_waypoint.go ensures that xdsfilters.TLSInspector is always applied to waypoint listeners as long as there are any TLS ports configured, regardless of whether non-TLS ports also exist. This improves SNI-based routing for DYNAMIC_DNS ServiceEntries.
Source:
pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go(709-724)pilot/pkg/networking/core/listener_waypoint.go(566-577)releasenotes/notes/59321.yaml(1-11)releasenotes/notes/59028.yaml(1-10)
π Robust IP Address Allocation in Service Entries
Istio’s IP address allocator for Service Entries now operates with increased resilience, particularly against transient API server issues. A bug could lead to IP address leaks when the Kubernetes API server rejected status patches for Service Entries. This release ensures that any newly allocated IP addresses are properly freed if a subsequent patch operation fails, preventing resource exhaustion and maintaining the integrity of your IP address pools for DYNAMIC_DNS Service Entries.
The statusPatchForAddresses function in pilot/pkg/controllers/ipallocate/ipallocate.go has been enhanced. It now returns a list of newlyAllocated IP addresses. If both the initial replaceAddresses patch and the fallback addStatusAndAddresses patch fail, these newlyAllocated IPs are explicitly released back into the pool via the new freeAddresses function. This prevents IP address leaks that could occur due to stale informer state or concurrent updates, ensuring that IP resources are always accurately managed.
Source:
π SSRF Protection in WasmPlugin Image Fetching
This release enhances the security of WasmPlugin image fetching by implementing Server-Side Request Forgery (SSRF) protection. A potential vulnerability existed where malicious bearer token realm URLs in WWW-Authenticate headers could be used to trick the Wasm image fetcher into making requests to internal or sensitive endpoints. This fix prevents such attacks, ensuring that Wasm module distribution remains secure.
A new ssrfProtectionTransport is introduced in pkg/wasm/imagefetcher.go. This custom http.RoundTripper wrapper intercepts HTTP responses, specifically checking 401 Unauthorized responses for WWW-Authenticate headers. It then uses validateAllRealms to scrutinize all realm URLs, blocking non-HTTP/HTTPS schemes, known cloud metadata service hosts (metadata.google.internal), localhost, and private/loopback/link-local IP addresses. Any detected malicious realm will cause the request to be rejected, effectively mitigating SSRF risks during image fetching.
Source:
Minor Updates & Housekeeping
This release includes numerous minor fixes and improvements, such as ensuring proper dependency tracking for backend policies, correcting minimum TLS version application in downstream contexts, and resolving various nil pointer dereferences in ServiceEntry validation and meshwatcher adapters. It also incorporates updates to proxy and ztunnel components, enhancing overall system stability and performance.