Envoy before v1.15.0 and Istio before 1.6.5 (and 1.5.8) doesn't correctly validate TLS certificates when using wildcards. When wildcards are specified in the DNS Subject Alternative Name (SAN) and include multiple subdomains such as *.site.com, Envoy incorrectly allows and matches further sub domains such as bad.subdomain.site.com.
Acknowledgments: Name: the Envoy Security Team
Fix, git commit: https://github.com/envoyproxy/envoy/pull/11921/files
External References: https://istio.io/latest/news/security/istio-security-2020-008/
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:3090 https://access.redhat.com/errata/RHSA-2020:3090
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15104
Statement: For OpenShift ServiceMesh to be affected by this vulnerability, it must be configured to validate externally issued certificates. By default, ServiceMesh does not issue certificates that use DNS wildcard SANs.