The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed. This allows access to all ports on these resources from any pod. For example, the ports for istiod are currently specified as: spec: ingress: - ports: port: webhook and should be specified as: spec: ingress: ports: - port: webhook Network policies applied to the following resources are affected: - istiod - grafana - kiali - prometheus - jaeger - galley - sidecar injector Jira Issue: https://issues.redhat.com/browse/MAISTRA-2401
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2021:2380 https://access.redhat.com/errata/RHSA-2021:2380
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3586
(actually needinfo-ing anten this time instead of the whole team)