ISTIO-SECURITY-2020-002
Mixer policy check bypass caused by improperly accepting certain request headers.
Disclosure Details | |
---|---|
CVE(s) | CVE-2020-8843 |
CVSS Impact Score | 7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Affected Releases | 1.3 to 1.3.6 |
Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.
Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7. An issue was raised and fixed in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.
- CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts
x-istio-attributes
header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. To be vulnerable, Istio must have Mixer Policy enabled and used in the specified way. This feature is disabled by default in Istio 1.3 and 1.4.
Mitigation
- For Istio 1.3.x deployments: update to Istio 1.3.7 or later.
Credit
The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of Splunk for the private bug report.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.