ISTIO-SECURITY-2022-001
Authorization Policy For Host Rules During Upgrades.
| Disclosure Details | |
|---|---|
| CVE(s) | CVE-2022-21679 |
| CVSS Impact Score | 6.8 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Affected Releases | 1.12.0 to 1.12.1 |
CVE
CVE-2022-21679
Istio 1.12.0/1.12.1 will generate incorrect configuration for proxies of version 1.11 affecting the hosts and notHosts field in the authorization policy. The incorrect configuration could cause requests to accidentally bypass or get rejected by the authorization policy when using the hosts and notHosts fields.
The issue happens when mixing the 1.12.0/1.12.1 control plane with the 1.11 data plane and using the hosts or notHosts field in the authorization policy.
Mitigation
- Upgrade to latest 1.12.2 or;
- Do not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using
hostsornotHostsfield in authorization policy
Credit
We would like to thank Yangmin Zhu and @Aakash2017.