Version 1.10

Security bulletins

Use this XML feed to subscribe to Anthos Service Mesh security bulletins. Subscribe

This page lists the security bulletins for Anthos Service Mesh.

GCP-2021-012

Published: 2021-06-24
Description Severity Notes

The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS.

Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. This security vulnerability only impacts the 1.8 and 1.9 minor releases of Anthos Service Mesh.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if ALL of the following conditions are true:

  • It us using a 1.9.x version prior to 1.9.6-asm.1 or a 1.8.x prior to 1.8.6-asm.4.
  • It has defined Gateways or DestinationRules with the credentialName field specified.
  • It does not specify the istiod flag PILOT_ENABLE_XDS_CACHE=false.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.9.6-asm.1
  • 1.8.6-asm.4

If an upgrade isn't feasible, you can mitigate this vulnerability by disabling istiod caching. You can disable caching by setting the istiod environment variable to PILOT_ENABLE_XDS_CACHE=false. System and istiod performance may be impacted because this disables XDS caching.

High

CVE-2021-34824

GCP-2021-008

Published: 2021-05-17
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

What should I do?

Check if your clusters are impacted

This vulnerability impacts only usage of the AUTO_PASSTHROUGH Gateway type, which is typically only used in multi-network, multi-cluster deployments.

Detect the TLS mode of all Gateways in the cluster with the following command:

kubectl get gateways.networking.istio.io -A -o \
  "custom-columns=NAMESPACE:.metadata.namespace, \
  NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode"

If the output shows any AUTO_PASSTHROUGH Gateways, you may be impacted.

Mitigation

Update your clusters to the latest Anthos Service Mesh versions:

  • 1.9.5-asm.2
  • 1.8.6-asm.3
  • 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

High

CVE-2021-31921

GCP-2021-007

Published: 2021-05-17
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

In a scenario where an Istio cluster administrator defines an authorization DENY policy to reject the request at path "/admin", a request sent to the URL path "//admin" will NOT be rejected by the authorization policy.

According to the RFC 3986, the path "//admin" with multiple slashes should technically be treated as a different path from the "/admin". However, some backend services choose to normalize the URL paths by merging multiple slashes to a single slash. This can result in a bypass of the authorization policy ("//admin" does not match "/admin"), and a user can access the resource at path "/admin" in the backend.

What should I do?

Check if your clusters are impacted

Your cluster is impacted by this vulnerability if you have authorization policies using "ALLOW action + notPaths field" or "DENY action + paths field" patterns. These patterns are vulnerable to unexpected policy bypasses and you should upgrade to fix the security issue ASAP.

The following is an example of vulnerable policy that uses "DENY action + paths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-path-admin
spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["/admin"]

The following is another example of vulnerable policy that uses "ALLOW action + notPaths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-path-not-admin
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        notPaths: ["/admin"]

Your cluster is not impacted by this vulnerability if:

  • You don't have authorization policies.
  • Your authorization policies don't define paths or notPaths fields.
  • Your authorization policies use "ALLOW action + paths field" or "DENY action + notPaths field" patterns. These patterns could only cause unexpected rejection instead of policy bypasses.
  • Upgrading is optional for these cases.

Mitigation

Update your clusters to the latest supported Anthos Service Mesh versions*. These versions support configuring the Envoy proxies in the system with more normalization options:

  • 1.9.5-asm.2
  • 1.8.6-asm.3
  • 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

Follow the Istio security best practices guide to configure your authorization policies.

High

CVE-2021-31920

GCP-2021-004

Published: 2021-05-06
Description Severity Notes

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28682, CVE-2021-28683, and CVE-2021-29258), that could allow an attacker to crash Envoy and potentially render parts of the cluster offline and unreachable.

This impacts delivered services such as Anthos Service Mesh.

What should I do?

To fix these vulnerabilities, upgrade your Anthos Service Mesh bundle to one of the following patched versions:

  • 1.9.3-asm.2
  • 1.8.5-asm.2
  • 1.7.8-asm.1
  • 1.6.14-asm.2

For more information, see the Anthos Service Mesh release notes.

High

CVE-2021-28682
CVE-2021-28683
CVE-2021-29258