ISTIO-SECURITY-2020-002

Security Bulletin

Disclosure Details
CVE(s)CVE-2020-8843
CVSS Impact Score7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Releases1.3 to 1.3.6

Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.

Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7. An issue was raised and fixed in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.

  • CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. To be vulnerable, Istio must have Mixer Policy enabled and used in the specified way. This feature is disabled by default in Istio 1.3 and 1.4.

Mitigation

  • For Istio 1.3.x deployments: update to Istio 1.3.7 or later.

Credit

The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of Splunk for the private bug report.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!