ISTIO-SECURITY-2021-001
JWT authentication can be bypassed when AuthorizationPolicy is misused.
Disclosure Details | |
---|---|
CVE(s) | CVE-2021-21378 |
CVSS Impact Score | 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Affected Releases | 1.9.0 |
Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
- CVE-2021-21378:
JWT authentication bypass with unknown issuer token
- CVSS Score: 8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
You are subject to the vulnerability if you are using RequestAuthentication
alone for JWT validation.
You are not subject to the vulnerability if you use both RequestAuthentication
and AuthorizationPolicy
for JWT validation.
For Istio, this vulnerability only exists if your service:
- Accepts JWT tokens (with
RequestAuthentication
) - Has some service paths without
AuthorizationPolicy
applied.
For the service paths that both conditions are met, an incoming request with a JWT token, and the token issuer is not in
RequestAuthentication
will bypass the JWT validation, instead of getting rejected.
Mitigation
For proper JWT validation, you should always use the AuthorizationPolicy
as documented on istio.io for
specifying a valid token.
To do this you will have to audit all of your RequestAuthentication
and subsequent AuthorizationPolicy
resources to
make sure they align with the documented practice.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.