CVE-2022-21679 – Bypassing Istio Authorization Policy with Hosts and notHosts Fields during Upgrade from 1.11 to 1.12./1.12.1
Istio is a popular open platform used to connect, manage, and secure microservices in a service mesh architecture. Recently, a vulnerability has been discovered in Istio versions 1.12. and 1.12.1, allowing the authorization policy with hosts and notHosts fields to be accidentally bypassed or rejected unexpectedly. The vulnerability is identified as CVE-2022-21679.
Problem Details
When upgrading from Istio 1.11 to 1.12. or 1.12.1, there is a chance that the authorization policy may be bypassed for the ALLOW action or rejected unexpectedly for the DENY action due to an inconsistency between control plane and data plane versions. Istio 1.12 introduces support for the hosts and notHosts fields in authorization policies using a new Envoy API. However, due to a bug in 1.12. and 1.12.1, the new Envoy API is incorrectly used with the 1.11 data plane, causing the hosts and notHosts fields to always be matched regardless of the actual value of the host header.
Here's an example of a potentially problematic authorization policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: test-policy
namespace: foo
spec:
action: ALLOW
rules:
- to:
- operation:
hosts: ["example.com"]
Impact of the Vulnerability
If you are using Istio 1.12. or 1.12.1 control plane along with 1.11 data plane and have authorization policies that rely on hosts or notHosts fields, you may be at risk of having the policy bypassed or rejected unexpectedly, which could lead to unauthorized access to certain microservices within your service mesh.
Solution and Recommendations
To mitigate this vulnerability, it is advised that users either upgrade their Istio installation or avoid mixing Istio 1.12./1.12.1 control plane with 1.11 data plane if using the hosts or notHosts fields in their authorization policies.
For more information on upgrading Istio versions, you can refer to the official Istio Upgrade Documentation.
Original References
- Istio Security Advisory
- Istio Changelog
- Istio GitHub Issue
Conclusion
The discovery of this vulnerability, CVE-2022-21679, in Istio 1.12. and 1.12.1 highlights the importance of keeping your Istio installation up-to-date and following best practices during the upgrade process. Make sure to assess your current environment and take the necessary steps to secure your service mesh if you are affected by this vulnerability.
Timeline
Published on: 01/19/2022 22:15:00 UTC
Last modified on: 01/27/2022 13:58:00 UTC