The Istio community has released a fix for a recently discovered vulnerability CVE-2020-16844. The vulnerability was classed as MEDIUM severity, with a CVSS score of 6.8.
Due to the vulnerability, callers to TCP services that had defined Authorization Policies to DENY actions containing wildcard suffixes (e.g. *-some-suffix) for source principles or namespace fields would never be denied access.
Mitigation
Impacted users running on releases 1.5 to 1.5.8 and 1.6 to 1.6.7 should immediately upgrade to 1.5.9 and 1.6.8 respectively.
Users are also advised NOT to use suffix matching in DENY policies in the source principle or namespace field for TCP services and use Prefix and Exact Matching where possible.
Additionally, those impacted should consider, where possible, changing TCP to HTTP for port name suffices in services.
For more information visit the Istio 1.6.8 patch release announcement
To report a vulnerability, follow the security vulnerability process outlined in the Istio docs.
Tetrate supports organizations in preventing attacks by providing rapid notification and updates to respond to identified vulnerabilities.