Bug 1973478 (CVE-2021-34824) - CVE-2021-34824 istio: istiod propagates user-specified TLS keys and certificates to the secure Istio gateways
Summary: CVE-2021-34824 istio: istiod propagates user-specified TLS keys and certifica...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-34824
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1973379
TreeView+ depends on / blocked
 
Reported: 2021-06-17 22:56 UTC by Anten Skrabec
Modified: 2023-09-01 00:33 UTC (History)
5 users (show)

Fixed In Version: istio 1.9.6, istio 1.10.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in istio. Any client authorized to access Istio XDS API can retrieve any cached gateway TLS certificate and private keys. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-06-29 22:40:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Anten Skrabec 2021-06-17 22:56:48 UTC
In Istio 1.8+ versions, Istiod propagates user-specified TLS keys and
certificates to the secure Istio gateways
<https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/>
via Istiod. Normally, a gateway deployment is only able to access TLS
certificates and private keys stored in the secret it can access allowed by
the Kubernetes RBAC. However, a bug in Istiod causes that a client
authorized to access Istio XDS API can retrieve any gateway TLS certificate
and private keys cached in Istiod. This security vulnerability only impacts
Istio 1.8, 1.9 and 1.10 minor releases, among which, 1.9 and 1.10 are
within the Istio support window.

Comment 3 Product Security DevOps Team 2021-06-29 22:40:31 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-34824


Note You need to log in before you can comment on or make changes to this bug.