In Istio 1.8+ versions, Istiod propagates user-specified TLS keys and certificates to the secure Istio gateways <https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/> via Istiod. Normally, a gateway deployment is only able to access TLS certificates and private keys stored in the secret it can access allowed by the Kubernetes RBAC. However, a bug in Istiod causes that a client authorized to access Istio XDS API can retrieve any gateway TLS certificate and private keys cached in Istiod. This security vulnerability only impacts Istio 1.8, 1.9 and 1.10 minor releases, among which, 1.9 and 1.10 are within the Istio support window.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-34824