Technology: istio-proxy
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| CRE-2025-0109 Medium Impact: 8/10 Mitigation: 7/10 | Ambient HTTP status codes by Ztunnel | When Ambient mode is enabled, Ztunnel tunnels HTTP over HBONE (HTTP CONNECT) and although it's a TCP proxy, it still tags its "connection complete" log lines with the HTTP status code from the upstream response (e.g. 503, 401). This CRE verifies that non-2xx responses are correctly surfaced. | Istio Ambient Troubleshooting | istio-proxy | IstioAmbientZtunnel |
| CRE-2025-0110 High Impact: 8/10 Mitigation: 7/10 | Ztunnel Traffic timeouts in Istio Ambient Mode | Detects when Istio Ambient-mode HBONE (mTLS) traffic is blocked or dropped— resulting in Ztunnel logging timeouts such as `io error: deadline has elapsed` or `connection timed out, maybe a NetworkPolicy is blocking HBONE port 15008`. | Istio Ambient Troubleshooting | istio-proxy | IstioAmbientZtunnel |