ISTIO-SECURITY-2021-001
JWT authentication can be bypassed when AuthorizationPolicy is misused.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2021-21378 |
| CVSS Impact Score | 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| Affected Releases | 1.9.0 |
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
- CVE-2021-21378:
JWT authentication bypass with unknown issuer token
- CVSS Score: 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
You are subject to the vulnerability if you are using RequestAuthentication alone for JWT validation.
You are not subject to the vulnerability if you use both RequestAuthentication and AuthorizationPolicy for JWT validation.
For Istio, this vulnerability only exists if your service:
- Accepts JWT tokens (with
RequestAuthentication) - Has some service paths without
AuthorizationPolicyapplied.
For the service paths that both conditions are met, an incoming request with a JWT token, and the token issuer is not in
RequestAuthentication will bypass the JWT validation, instead of getting rejected.
Mitigation
For proper JWT validation, you should always use the AuthorizationPolicy as documented on istio.io for
specifying a valid token.
To do this you will have to audit all of your RequestAuthentication and subsequent AuthorizationPolicy resources to
make sure they align with the documented practice.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.