2044675 – (CVE-2022-21679) CVE-2022-21679 istio: Authorization policy bypass

Bug 2044675 (CVE-2022-21679) - CVE-2022-21679 istio: Authorization policy bypass

Summary: CVE-2022-21679 istio: Authorization policy bypass

Keywords:
Status:	NEW
Alias:	CVE-2022-21679
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2044673
TreeView+	depends on / blocked

Reported:	2022-01-25 00:38 UTC by Todd Cullum
Modified:	2023-09-01 02:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:	istio 1.12.2
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Todd Cullum 2022-01-25 00:38:12 UTC

Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane.

References:

https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/
https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv
https://nvd.nist.gov/vuln/detail/CVE-2022-21679

Note You need to log in before you can comment on or make changes to this bug.