1798247 – (CVE-2020-8595) CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path

Bug 1798247 (CVE-2020-8595) - CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path

Summary: CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-8595
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1797871
TreeView+	depends on / blocked

Reported:	2020-02-04 22:56 UTC by Mark Cooper
Modified:	2021-02-16 20:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:	istio 1.3.8, istio 1.4.4
Doc Type:	If docs needed, set a value
Doc Text:	An unauthorized access vulnerability was found in Istio in the servicemesh-proxy. An attacker can use this flaw to specify an HTTP path and gain unauthorized access, even if the path is configured to only be accessed with a valid JSON Web Token (JWT).
Clone Of:
Environment:
Last Closed:	2020-02-12 08:09:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:0477	0	None	None	None	2020-02-12 00:10:49 UTC

Description Mark Cooper 2020-02-04 22:56:10 UTC

A flaw was found in Istio in all versions released after 1.3 (included). The flaw is in Istio's Authentication Policy exact path matching logic and can allow unauthorized access to a HTTP path, even if the path is configured to be only accessed with a valid JWT token.

Comment 1 Mark Cooper 2020-02-04 22:56:12 UTC

Mitigation:

Depending on the paths used in the exact match clause, it is possible to update the path to a regex. 

As provided by the Istio Product Committee, the following mitigation can be employed.

The original policy specifying a JWT protected path is as follows:
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  targets:
  - name: istio-ingressgateway
  origins:
  - jwt:
      issuer: "testing.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - exact: /productpage

The exact path definition can then be updated to a regular expression:
---
  - jwt:
      issuer: "testing.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - regex: '/productpage(\?.*)?'
        - regex: '/productpage(#.*)?'

Comment 3 Mark Cooper 2020-02-06 00:06:07 UTC

Acknowledgments:

Name: The Istio Product Security Committee

Comment 5 errata-xmlrpc 2020-02-12 00:10:47 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:0477 https://access.redhat.com/errata/RHSA-2020:0477

Comment 7 Mark Cooper 2020-02-12 04:28:36 UTC

External References:

https://istio.io/news/security/istio-security-2020-001/

Comment 8 Product Security DevOps Team 2020-02-12 08:09:35 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8595

Note You need to log in before you can comment on or make changes to this bug.