CVE-2020-1764

Отчет

If exploited, an attacker can perform all Kiali admin functions via the API including:

• View the logs of a pod
• View Istio metrics, tracing etc.
• Alter Istio routing configurations:
• Change the pod availability: adding variances to the weighting, i.e. all traffic goes to 1 pod, or 95% of all traffic.
• Prevent traffic reaching a pod, DoS Whilst OpenShift ServiceMesh Kiali uses the default signing key for JWT cookies, it also includes an access_token. This token is generated with a successful login and cannot be easily determined. To access the Kiali API in this case, a valid session token would need to be captured first and then added to the JWT cookie.

Меры по смягчению последствий

The Kiali configuration can be manually updated for ServiceMesh so that the default signing_key cannot be easily determined: oc get kiali -n $(oc get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n login_token:\n signing_key: $(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1..20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)/" | oc apply -f -