Summary
This document is a technical report detailing the findings of the Istio Security Audit conducted by Ada Logics in collaboration with the Open Source Technology Improvement Fund (OSTIF) and sponsored by the Cloud Native Computing Foundation (CNCF). The audit aimed to formalize a threat model for Istio, perform a manual code audit, review previous audit fixes, enhance the fuzzing suite, and conduct a SLSA review. The audit revealed several security issues, including one CVE and vulnerabilities affecting managed Istio offerings. The report outlines notable findings, including a significant issue related to uncapped H2c handlers that could lead to denial of service scenarios. The audit also assessed the fuzz testing capabilities of Istio, resulting in the addition of six new fuzzers to the OSS-Fuzz integration. Overall, the report concludes that Istio is a well-maintained project with a strong security approach, although some components, particularly the Istio Operator, require further attention.
