content/en/news/security/istio-security-2021-006/index.md
{{< security_bulletin >}}
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster,
bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
This vulnerability impacts only usage of the AUTO_PASSTHROUGH Gateway type, which is typically only used in multi-network multi-cluster deployments.
The TLS mode of all Gateways in the cluster can be detected with the following command:
{{< text bash >}}
$ kubectl get gateways.networking.istio.io -A -o "custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode"
{{< /text >}}
If the output shows any AUTO_PASSTHROUGH Gateways, you may be impacted.
Update your cluster to the latest supported version:
We would like to thank John Howard (Google) for reporting this issue.