Описание
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
A flaw was found in istio. Any client authorized to access Istio XDS API can retrieve any cached gateway TLS certificate and private keys. The highest threat from this vulnerability is to data confidentiality.
Меры по смягчению последствий
This vulnerability can be mitigated by disabling istiod caching. This is controlled by the PILOT_ENABLE_XDS_CACHE environment variable being set to false on istiod.
Note: since this disables XDS caching, it may impact the performance of istiod.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh | Not affected |
Показывать по
Дополнительная информация
Статус:
9.1 Critical
CVSS3
Связанные уязвимости
Istio (1.8.x, 1.9.0-1.9.5 and 1.10.0-1.10.1) contains a remotely exploitable vulnerability where credentials specified in the Gateway and DestinationRule credentialName field can be accessed from different namespaces.
Istio before 1.9.6 and 1.10.x before 1.10.2 has Incorrect Access Control.
9.1 Critical
CVSS3