A flaw was found in Istio in all versions released after 1.3 (included). The flaw is in Istio's Authentication Policy exact path matching logic and can allow unauthorized access to a HTTP path, even if the path is configured to be only accessed with a valid JWT token.
Depending on the paths used in the exact match clause, it is possible to update the path to a regex.
As provided by the Istio Product Committee, the following mitigation can be employed.
The original policy specifying a JWT protected path is as follows:
- name: istio-ingressgateway
- exact: /productpage
The exact path definition can then be updated to a regular expression:
- regex: '/productpage(\?.*)?'
- regex: '/productpage(#.*)?'
Name: The Istio Product Security Committee
This issue has been addressed in the following products:
OpenShift Service Mesh 1.0
Via RHSA-2020:0477 https://access.redhat.com/errata/RHSA-2020:0477
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):