ContextQMD
Back to Istio Io

ISTIO-SECURITY-2020-002

content/en/news/security/istio-security-2020-002/index.md

latest1.2 KB
Original Source

{{< security_bulletin >}}

Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.

Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7. An issue was raised and fixed in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.

  • CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. To be vulnerable, Istio must have Mixer Policy enabled and used in the specified way. This feature is disabled by default in Istio 1.3 and 1.4.

Mitigation

  • For Istio 1.3.x deployments: update to Istio 1.3.7 or later.

Credit

The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of Splunk for the private bug report.

{{< boilerplate "security-vulnerability" >}}