|1.0||July 8, 2020||Initial Reason|
Keptn installation 0.6.2 and older.
Note: This is not applicable if you have installed Keptn using
Keptn 0.6.2 and older versions are installing an outdated and potentially insecure version of Istio; Keptn 0.6.x installs Istio 1.3, Keptn 0.5.x installs Istio 1.2.
This vulnerability affects a 3rd-party component and is publicly known via the Istio security bulletins. There is reason to believe that it has been maliciously exploited in the past, as Istio is an often-targeted component in cloud application workloads.
CVSSv3.1 Rating: 9.0 (Very High)
CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Considering that we are shipping an old version of Istio (1.2 or 1.3 resp.) and there are several vulnerabilities known (see https://istio.io/latest/news/security/ ), we took the highest CVSS score that Istio has reported themselves, which is 9.0 (Very High). The attacks range from heap overflow, denial of service up to authentication policy bypass.
If you install Keptn, install the latest version of Istio first, then install Keptn using the
As this affects a 3rd-party component, identification whether a vulnerability has been abused is documented on their website: https://istio.io/latest/news/security/