ISTIO-SECURITY-2020-004

Default Kiali security configuration allows full control of mesh.

Mar 25, 2020

Disclosure Details
CVE(s)CVE-2020-1764
CVSS Impact Score8.7 AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Releases1.4 to 1.4.6
1.5

Istio 1.4 to 1.4.6 and Istio 1.5 contain the following vulnerability:

In addition, another CVE is fixed in this release, described by this Kiali security bulletin.

Detection

Your installation is vulnerable in the following configuration:

To check your Kiali version, run this command:

$ kubectl get pods -n istio-system -l app=kiali -o yaml | grep image:

To determine if your login token is unset, run this command and check for blank output:

$ kubectl get deploy kiali -n istio-system -o yaml | grep LOGIN_TOKEN_SIGNING_KEY

To determine if your signing key is unset, run this command and check for blank output:

$ kubectl get cm kiali -n istio-system -o yaml | grep signing_key

Mitigation