ISTIO-SECURITY-2021-002

Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports.

Apr 7, 2021

Disclosure Details
CVE(s)N/A
CVSS Impact ScoreN/A
Affected ReleasesAll releases 1.6 and later

Upgrading from Istio versions 1.5 and prior, to 1.6 and later, may result in access control bypass:

Example of an authorization policy resource that needs to be updated:

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: block-admin-access
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  -  to:
    - operation:
        paths: ["/admin"]
        ports: [ "80" ]
  -  to:
    - operation:
        paths: ["/admin"]
        ports: [ "443" ]

The above policy in Istio versions 1.5 and prior will block all access to path /admin for traffic reaching an Istio ingress gateway on container ports 80 and 443. On upgrading to Istio version 1.6 and later, this policy should be updated to the following to have the same effect:

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: block-admin-access
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  -  to:
    - operation:
        paths: ["/admin"]
        ports: [ "8080" ]
  -  to:
    - operation:
        paths: ["/admin"]
        ports: [ "8443"

Mitigation

It is recommended to create a copy of your existing authorization policies, update the copied version to use new gateway workload ports, and apply both existing and updated policies in your cluster, before initiating the upgrade process. You should only delete the old policies after a successful upgrade, to ensure no policy violations occur on upgrade failures or rollbacks.

Credit

We’d like to thank Neeraj Poddar for reporting this issue.

Reporting vulnerabilities

We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.