You are viewing documentation for Anthos Service Mesh 1.8. View the latest documentation or select another available version:

Security bulletins

Use this XML feed to subscribe to Istio on GKE security bulletins. Subscribe

This page lists the security bulletins for Anthos Service Mesh.

GCP-2021-016

Published: 2021-08-24
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass Istio’s URI path-based authorization policies.

For example, an Istio authorization policy denies requests sent to the URI path /user/profile. In the vulnerable versions, a request with the URI path /user/profile#section1 bypasses the deny policy and routes to the backend (with the normalized URI path /user/profile%23section1), which leads to a security incident.

This fix depends on a fix in Envoy, which is associated with CVE-2021-32779.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.10.4-asm.6
  • 1.9.8-asm.1
  • 1.8.6-asm.8
  • 1.7.8-asm.10

With the new versions, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.

Opt-out

If you opt-out of this new behavior, the fragment section in the URI is kept. To opt-out, you can configure your installation as follows:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  name: opt-out-fragment-cve-fix
  namespace: istio-system
spec:
  meshConfig:
    defaultConfig:
      proxyMetadata:
        HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false"

Note: Opting out of this behavior makes your cluster vulnerable to this CVE.

High

CVE-2021-39156

Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request could potentially bypass an Istio authorization policy when using rules based on hosts or notHosts.

In the vulnerable versions, the Istio authorization policy compares the HTTP Host or :authority headers in a case-sensitive manner, which is inconsistent with RFC 4343. For example, the user could have an authorization policy that rejects requests with host secret.com, but the attacker can bypass this by sending the request at hostname Secret.com. The routing flow routes the traffic to the backend for secret.com, which causes a security incident.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.10.4-asm.6
  • 1.9.8-asm.1
  • 1.8.6-asm.8
  • 1.7.8-asm.10

This mitigation makes sure that the HTTP Host or :authority headers are evaluated against the hosts or notHosts specs in the authorization policies in a case-insensitive manner.

High

CVE-2021-39155

Description Severity Notes

Envoy contains a remotely exploitable vulnerability that an HTTP request with multiple value headers could do an incomplete authorization policy check when the ext_authz extension is used. When a request header contains multiple values, the external authorization server will only see the last value of the given header.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
  • It uses the External Authorization feature.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.10.4-asm.6
  • 1.9.8-asm.1
  • 1.8.6-asm.8
  • 1.7.8-asm.10

High

CVE-2021-32777

Description Severity Notes

Envoy contains a remotely exploitable vulnerability that affects Envoy's decompressor, json-transcoder, or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond the internal buffer size could lead to Envoy accessing deallocated memory and terminating abnormally.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if both of the following are true:

  • It uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.
  • It uses EnvoyFilters.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.10.4-asm.6
  • 1.9.8-asm.1
  • 1.8.6-asm.8
  • 1.7.8-asm.10

High

CVE-2021-32781

Description Severity Notes

Envoy contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests could lead to excessive CPU consumption.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if it uses Anthos Service Mesh patch versions earlier than 1.7.8-asm.10, 1.8.6-asm.8, 1.9.8-asm.1, and 1.10.4-asm.6.

Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.10.4-asm.6
  • 1.9.8-asm.1

Note: If you are using Anthos Service Mesh 1.8 or earlier, please upgrade to the latest patch versions of Anthos Service Mesh 1.9 and above to mitigate this vulnerability.

High

CVE-2021-32778

Description Severity Notes

Envoy contains a remotely exploitable vulnerability where an untrusted upstream service could cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if it uses Anthos Service Mesh 1.10 with a patch version earlier than 1.10.4-asm.6.

Mitigation

Upgrade your cluster to the following patch version:

  • 1.10.4-asm.6

High

CVE-2021-32780

GCP-2021-012

Published: 2021-06-24
Description Severity Notes

The Istio secure Gateway or workloads using the DestinationRule can load TLS private keys and certificates from Kubernetes secrets via the credentialName configuration. From Istio 1.8 and above, the secrets are read from istiod and conveyed to gateways and workloads via XDS.

Normally, a gateway or workload deployment is only able to access TLS certificates and private keys stored in the secret within its namespace. However, a bug in istiod allows a client authorized to access the Istio XDS API to retrieve any TLS certificate and private keys cached in istiod. This security vulnerability only impacts the 1.8 and 1.9 minor releases of Anthos Service Mesh.

What should I do?

Check if your clusters are impacted

Your cluster is impacted if ALL of the following conditions are true:

  • It is using a 1.9.x version prior to 1.9.6-asm.1 or a 1.8.x prior to 1.8.6-asm.4.
  • It has defined Gateways or DestinationRules with the credentialName field specified.
  • It does not specify the istiod flag PILOT_ENABLE_XDS_CACHE=false.
Mitigation

Upgrade your cluster to one of the following patched versions:

  • 1.9.6-asm.1
  • 1.8.6-asm.4

If an upgrade isn't feasible, you can mitigate this vulnerability by disabling istiod caching. You can disable caching by setting the istiod environment variable to PILOT_ENABLE_XDS_CACHE=false. System and istiod performance could be impacted because this disables XDS caching.

High

CVE-2021-34824

GCP-2021-008

Published: 2021-05-17
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.

What should I do?

Check if your clusters are impacted

This vulnerability impacts only usage of the AUTO_PASSTHROUGH Gateway type, which is typically only used in multi-network, multi-cluster deployments.

Detect the TLS mode of all Gateways in the cluster with the following command:

kubectl get gateways.networking.istio.io -A -o \
  "custom-columns=NAMESPACE:.metadata.namespace, \
  NAME:.metadata.name,TLS_MODE:.spec.servers[*].tls.mode"

If the output shows any AUTO_PASSTHROUGH Gateways, you could be impacted.

Mitigation

Update your clusters to the latest Anthos Service Mesh versions:

  • 1.9.5-asm.2
  • 1.8.6-asm.3
  • 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

High

CVE-2021-31921

GCP-2021-007

Published: 2021-05-17
Description Severity Notes

Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used.

In a scenario where an Istio cluster administrator defines an authorization DENY policy to reject the request at path "/admin", a request sent to the URL path "//admin" will NOT be rejected by the authorization policy.

According to the RFC 3986, the path "//admin" with multiple slashes should technically be treated as a different path from the "/admin". However, some backend services choose to normalize the URL paths by merging multiple slashes to a single slash. This can result in a bypass of the authorization policy ("//admin" does not match "/admin"), and a user can access the resource at path "/admin" in the backend.

What should I do?

Check if your clusters are impacted

Your cluster is impacted by this vulnerability if you have authorization policies using "ALLOW action + notPaths field" or "DENY action + paths field" patterns. These patterns are vulnerable to unexpected policy bypasses and you should upgrade to fix the security issue ASAP.

The following is an example of vulnerable policy that uses "DENY action + paths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-path-admin
spec:
  action: DENY
  rules:
  - to:
    - operation:
        paths: ["/admin"]

The following is another example of vulnerable policy that uses "ALLOW action + notPaths field" pattern:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-path-not-admin
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        notPaths: ["/admin"]

Your cluster is not impacted by this vulnerability if:

  • You don't have authorization policies.
  • Your authorization policies don't define paths or notPaths fields.
  • Your authorization policies use "ALLOW action + paths field" or "DENY action + notPaths field" patterns. These patterns could only cause unexpected rejection instead of policy bypasses.
  • Upgrading is optional for these cases.

Mitigation

Update your clusters to the latest supported Anthos Service Mesh versions*. These versions support configuring the Envoy proxies in the system with more normalization options:

  • 1.9.5-asm.2
  • 1.8.6-asm.3
  • 1.7.8-asm.8

* Note: The rollout of the Anthos Service Mesh Managed Control Plane (available only in 1.9.x versions) will complete in the next few days.

Follow the Istio security best practices guide to configure your authorization policies.

High

CVE-2021-31920

GCP-2021-004

Published: 2021-05-06
Description Severity Notes

The Envoy and Istio projects recently announced several new security vulnerabilities (CVE-2021-28682, CVE-2021-28683, and CVE-2021-29258), that could allow an attacker to crash Envoy and potentially render parts of the cluster offline and unreachable.

This impacts delivered services such as Anthos Service Mesh.

What should I do?

To fix these vulnerabilities, upgrade your Anthos Service Mesh bundle to one of the following patched versions:

  • 1.9.3-asm.2
  • 1.8.5-asm.2
  • 1.7.8-asm.1
  • 1.6.14-asm.2

For more information, see the Anthos Service Mesh release notes.

High

CVE-2021-28682
CVE-2021-28683
CVE-2021-29258