Описание
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
Меры по смягчению последствий
In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy ... spec: action: DENY rules:
- from:
- source: principals:
- */ns/servicemesh Consider using an exact or suffix match instead such as:
- /foo/bar/ns/servicemesh
Дополнительная информация
Статус:
6.8 Medium
CVSS3
Связанные уязвимости
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
Уязвимость сетевого программного средства Istio, связанная с недостатками контроля доступа, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации
6.8 Medium
CVSS3