ISTIO-SECURITY-2020-008

Incorrect validation of wildcard DNS Subject Alternative Names.

Jul 9, 2020

Disclosure Details
CVE(s)CVE-2020-15104
CVSS Impact Score6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
Affected Releases1.5 to 1.5.7
1.6 to 1.6.4
All releases prior to 1.5

Istio is vulnerable to a newly discovered vulnerability:

Istio users are exposed to this vulnerability in the following ways:

The Istio CA, which was formerly known as Citadel, does not issue certificates with DNS wildcard SANs. The vulnerability only impacts configurations that validate externally issued certificates.

Mitigation

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.