Bug 1798247 (CVE-2020-8595) - CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path
Summary: CVE-2020-8595 istio: unauthorised access to JWT protected HTTP path
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8595
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1797871
TreeView+ depends on / blocked
 
Reported: 2020-02-04 22:56 UTC by Mark Cooper
Modified: 2021-02-16 20:39 UTC (History)
3 users (show)

Fixed In Version: istio 1.3.8, istio 1.4.4
Doc Type: If docs needed, set a value
Doc Text:
An unauthorized access vulnerability was found in Istio in the servicemesh-proxy. An attacker can use this flaw to specify an HTTP path and gain unauthorized access, even if the path is configured to only be accessed with a valid JSON Web Token (JWT).
Clone Of:
Environment:
Last Closed: 2020-02-12 08:09:35 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0477 0 None None None 2020-02-12 00:10:49 UTC

Description Mark Cooper 2020-02-04 22:56:10 UTC
A flaw was found in Istio in all versions released after 1.3 (included). The flaw is in Istio's Authentication Policy exact path matching logic and can allow unauthorized access to a HTTP path, even if the path is configured to be only accessed with a valid JWT token.

Comment 1 Mark Cooper 2020-02-04 22:56:12 UTC
Mitigation:

Depending on the paths used in the exact match clause, it is possible to update the path to a regex. 

As provided by the Istio Product Committee, the following mitigation can be employed.

The original policy specifying a JWT protected path is as follows:
---
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  targets:
  - name: istio-ingressgateway
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - exact: /productpage

The exact path definition can then be updated to a regular expression:
---
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - included_paths:
        - regex: '/productpage(\?.*)?'
        - regex: '/productpage(#.*)?'

Comment 3 Mark Cooper 2020-02-06 00:06:07 UTC
Acknowledgments:

Name: The Istio Product Security Committee

Comment 5 errata-xmlrpc 2020-02-12 00:10:47 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:0477 https://access.redhat.com/errata/RHSA-2020:0477

Comment 7 Mark Cooper 2020-02-12 04:28:36 UTC
External References:

https://istio.io/news/security/istio-security-2020-001/

Comment 8 Product Security DevOps Team 2020-02-12 08:09:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8595


Note You need to log in before you can comment on or make changes to this bug.