ISTIO-SECURITY-2022-001

Authorization Policy For Host Rules During Upgrades.

Jan 18, 2022

Disclosure Details
CVE(s)CVE-2022-21679
CVSS Impact Score6.8 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected Releases1.12.0 to 1.12.1

CVE

CVE-2022-21679

Istio 1.12.0/1.12.1 will generate incorrect configuration for proxies of version 1.11 affecting the hosts and notHosts field in the authorization policy. The incorrect configuration could cause requests to accidentally bypass or get rejected by the authorization policy when using the hosts and notHosts fields.

The issue happens when mixing the 1.12.0/1.12.1 control plane with the 1.11 data plane and using the hosts or notHosts field in the authorization policy.

Mitigation

Credit

We would like to thank Yangmin Zhu and @Aakash2017.