ISTIO-SECURITY-2021-001

JWT authentication can be bypassed when AuthorizationPolicy is misused.

Mar 1, 2021

Disclosure Details
CVE(s)CVE-2021-21378
CVSS Impact Score8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Affected Releases1.9.0

Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:

You are subject to the vulnerability if you are using RequestAuthentication alone for JWT validation.

You are not subject to the vulnerability if you use both RequestAuthentication and AuthorizationPolicy for JWT validation.

For Istio, this vulnerability only exists if your service: * Accepts JWT tokens (with RequestAuthentication) * Has some service paths without AuthorizationPolicy applied.

For the service paths that both conditions are met, an incoming request with a JWT token, and the token issuer is not in RequestAuthentication will bypass the JWT validation, instead of getting rejected.

Mitigation

For proper JWT validation, you should always use the AuthorizationPolicy as documented on istio.io for specifying a valid token. To do this you will have to audit all of your RequestAuthentication and subsequent AuthorizationPolicy resources to make sure they align with the documented practice.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.