Bug 1973478 (CVE-2021-34824)
Summary: | CVE-2021-34824 istio: istiod propagates user-specified TLS keys and certificates to the secure Istio gateways | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | jwendell, kconner, rcernich, security-response-team, twalsh |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | istio 1.9.6, istio 1.10.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in istio. Any client authorized to access Istio XDS API can retrieve any cached gateway TLS certificate and private keys. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-29 22:40:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1973379 |
Description
Anten Skrabec
2021-06-17 22:56:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-34824 |