ISTIO-SECURITY-2020-001

Security Bulletin

Disclosure Details
CVE(s)CVE-2020-8595
CVSS Impact Score9.0 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Releases1.3 to 1.3.7
1.4 to 1.4.3

Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting Authentication Policy:

  • CVE-2020-8595: A bug in Istio's Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token. This bug affects all versions of Istio that support JWT Authentication Policy with path based trigger rules. The logic for the exact path match in the Istio JWT filter includes query strings or fragments instead of stripping them off before matching. This means attackers can bypass the JWT validation by appending ? or # characters after the protected paths.

Mitigation

  • For Istio 1.3.x deployments: update to Istio 1.3.8 or later.
  • For Istio 1.4.x deployments: update to Istio 1.4.4 or later.

Credit

The Istio team would like to thank Aspen Mesh for the original bug report and code fix of CVE-2020-8595.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!