It has been discovered that Istio through 1.5.8 and 1.6.5, contains an insecure access control vulnerability. When an AuthorizationPolicy is created for a TCP service which includes a DENY rule with a prefix wildcard, Istio translates this to an Envoy match string incorrectly dropping the wildcard. Hence a matching caller will not be denied as the string will not match as intended. This only affects DENY policies for TCP services using prefix matching. HTTP, prefix and exact matching are unaffected.
Acknowledgments: Name: the Envoy Security Team
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:3425 https://access.redhat.com/errata/RHSA-2020:3425
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-16844
External References: https://istio.io/latest/news/security/istio-security-2020-009/
Mitigation: In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy ... spec: action: DENY rules: - from: - source: principals: - */ns/servicemesh Consider using an exact or suffix match instead such as: - /foo/bar/ns/servicemesh