Bug 1798247 (CVE-2020-8595)

Summary: CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kconner, rcernich, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: istio 1.3.8, istio 1.4.4 Doc Type: If docs needed, set a value
Doc Text:
An unauthorized access vulnerability was found in Istio in the servicemesh-proxy. An attacker can use this flaw to specify an HTTP path and gain unauthorized access, even if the path is configured to only be accessed with a valid JSON Web Token (JWT).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-12 08:09:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1797871    

Description Mark Cooper 2020-02-04 22:56:10 UTC 
A flaw was found in Istio in all versions released after 1.3 (included). The flaw is in Istio's Authentication Policy exact path matching logic and can allow unauthorized access to a HTTP path, even if the path is configured to be only accessed with a valid JWT token.
Comment 1 Mark Cooper 2020-02-04 22:56:12 UTC 
Mitigation:

Depending on the paths used in the exact match clause, it is possible to update the path to a regex. 

As provided by the Istio Product Committee, the following mitigation can be employed.

The original policy specifying a JWT protected path is as follows:
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  targets:
  - name: istio-ingressgateway
  origins:
  - jwt:
      issuer: "testing.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - exact: /productpage

The exact path definition can then be updated to a regular expression:
---
  - jwt:
      issuer: "testing.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - regex: '/productpage(\?.*)?'
        - regex: '/productpage(#.*)?'
Comment 3 Mark Cooper 2020-02-06 00:06:07 UTC 
Acknowledgments:

Name: The Istio Product Security Committee
Comment 5 errata-xmlrpc 2020-02-12 00:10:47 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:0477 https://access.redhat.com/errata/RHSA-2020:0477
Comment 7 Mark Cooper 2020-02-12 04:28:36 UTC 
External References:

https://istio.io/news/security/istio-security-2020-001/
Comment 8 Product Security DevOps Team 2020-02-12 08:09:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8595