ISTIO-SECURITY-2021-002
Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports.
Disclosure Details | |
---|---|
CVE(s) | N/A |
CVSS Impact Score | N/A |
Affected Releases | All releases 1.6 and later |
Upgrading from Istio versions 1.5 and prior, to 1.6 and later, may result in access control bypass:
- Incorrect gateway ports on authorization policies on upgrades: In Istio
versions 1.6 and later, the default container ports for Istio ingress
gateways are updated from port “80” to “8080” and “443” to “8443” to allow
gateways to run as non-root
by default. With this change, any existing authorization policies targeting
an Istio ingress gateway on ports
80
and443
need to be migrated to use the new container ports8080
and8443
, before upgrading to the listed versions. Failure to migrate may result in traffic reaching ingress gateway service ports80
and443
to be incorrectly allowed or blocked, thereby causing policy violations.
Example of an authorization policy resource that needs to be updated:
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: block-admin-access
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- to:
- operation:
paths: ["/admin"]
ports: [ "80" ]
- to:
- operation:
paths: ["/admin"]
ports: [ "443" ]
The above policy in Istio versions 1.5 and prior will block all access to path
/admin
for traffic reaching an Istio ingress gateway on container ports 80
and 443
. On upgrading to Istio version 1.6 and later, this policy should
be updated to the following to have the same effect:
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: block-admin-access
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: DENY
rules:
- to:
- operation:
paths: ["/admin"]
ports: [ "8080" ]
- to:
- operation:
paths: ["/admin"]
ports: [ "8443"
Mitigation
- Update your authorization policies before upgrading to the
affected Istio versions. You can use this script
to check if any of the existing authorization policies
attached to the default Istio ingress gateway in the
istio-system
namespace need to be updated. If you’re using a custom gateway installation, you can customize the script to run with parameters applicable to your environment.
It is recommended to create a copy of your existing authorization policies, update the copied version to use new gateway workload ports, and apply both existing and updated policies in your cluster, before initiating the upgrade process. You should only delete the old policies after a successful upgrade, to ensure no policy violations occur on upgrade failures or rollbacks.
Credit
We’d like to thank Neeraj Poddar for reporting this issue.
Reporting vulnerabilities
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.