Security Update - CVE-2019-12243

During review of the Istio 1.1.7 release notes, we realized that issue 13868, which is fixed in the release, actually represents a security vulnerability.

Initially we thought the bug was impacting the TCP Authorization feature advertised as alpha stability, which would not have required invoking this security advisory process, but we later realized that the Deny Checker and List Checker feature were affected and those are considered stable features. We are revisiting our processes to flag vulnerabilities that are initially reported as bugs instead of through the private disclosure process.

We tracked the bug to a code change introduced in Istio 1.1 and affecting all versions up to 1.1.6.

This vulnerability is referred to as CVE 2019-12243

Affected Istio releases

The following Istio releases are vulnerable:

  • 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6

Impact score

Overall CVSS score: 8.9 AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:H/RL:O/RC:C

Vulnerability impact and Detection

Since Istio 1.1, In the default Istio installation profile, policy enforcement is disabled by default.

You can check the status of policy enforcement for your mesh with the following command:

$ kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
disablePolicyChecks: true

You are not impacted by this vulnerability if disablePolicyChecks is set to true.

You are impacted by the vulnerability issue if the following conditions are all true:

  • You are running one of the affected Istio releases.
  • disablePolicyChecks is set to false (follow the steps mentioned above to check)
  • Your workload is NOT using HTTP, HTTP/2, or gRPC protocols
  • A mixer adapter (e.g., Deny Checker, List Checker) is used to provide authorization for your backend TCP service.

Mitigation

  • Users of Istio 1.0.x are not affected
  • For Istio 1.1.x deployments: update to a minimum version of Istio 1.1.7

Credit

The Istio team would like to thank Haim Helman for the original bug report.