The Istio community has released a fix for a recently discovered vulnerability CVE-2020-16844. The vulnerability was classed as MEDIUM severity, with a CVSS score of 6.8.
Due to the vulnerability, callers to TCP services that had defined Authorization Policies to DENY actions containing wildcard suffixes (e.g. *-some-suffix) for source principles or namespace fields would never be denied access.
Mitigation
Impacted users running on releases 1.5 to 1.5.8 and 1.6 to 1.6.7 should immediately upgrade to 1.5.9 and 1.6.8 respectively.
Users are also advised NOT to use suffix matching in DENY policies in the source principle or namespace field for TCP services and use Prefix and Exact Matching where possible.
Additionally, those impacted should consider, where possible, changing TCP to HTTP for port name suffices in services.
For more information visit the Istio 1.6.8 patch release announcement
To report a vulnerability, follow the security vulnerability process outlined in the Istio docs.
Tetrate supports organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Get a Demo