Описание
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
An authorization bypass vulnerability was found in istio. When the istio gateway is configured with TLS mode AUTO_PASSTHROUGH, it is possible for a malicious user to bypass the authorization checks and gain access to protected services. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
To determine if a potential istio gateway might be affected by this vulnerability, the same command specified here: https://istio.io/latest/news/security/istio-security-2021-006/ can also be applied to OpenShift ServiceMesh using the oc cli instead of kubectl:
$ oc get gateways.networking.istio.io -A -o "custom-columns=NAMESPACE:.metadata.namespace,NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode"
NAMESPACE NAME TLS_MODE
test test-gateway
As specified in the linked reference, if the TLS_MODE returned is AUTO_PASSTHROUGH then the gateway may be affected.
Дополнительная информация
Статус:
10 Critical
CVSS3
Связанные уязвимости
Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
Istio before 1.8.6 and 1.9.x before 1.9.5, when a gateway is using the AUTO_PASSTHROUGH routing configuration, allows attackers to bypass authorization checks and access unexpected services in the cluster.
10 Critical
CVSS3