1.4.7, 1.5.1, istio-security-2020-004 (#6969)

* Announcing 1.5.1 and 1.4.7 - Include ISTIO-SECURITY-2020-004 * fix dates * Update content/en/news/releases/1.4.x/announcing-1.4.7/index.md * Update content/en/news/releases/1.5.x/announcing-1.5.1/index.md * Update content/en/news/security/istio-security-2020-004/index.md
2020-03-25 10:35:37 -07:00 · 2020-03-25 10:35:37 -07:00 · 8bb4178167
parent b8b7f2c02b
commit 8bb4178167
4 changed files with 133 additions and 0 deletions
--- a/.spelling
+++ b/.spelling
@ -183,6 +183,7 @@ CVE-2019-9513
 CVE-2019-9514
 CVE-2019-9515
 CVE-2019-9518
 CVE-2020-1764
 CVE-2020-8595
 CVE-2020-8843
 CVE-2020-8659
@ -335,6 +336,7 @@ ISTIO-SECURITY-2019-007
 ISTIO-SECURITY-2020-001
 ISTIO-SECURITY-2020-002
 ISTIO-SECURITY-2020-003
 ISTIO-SECURITY-2020-004
 istio-system
 istio.io
 istio.io.
--- a/content/en/news/releases/1.4.x/announcing-1.4.7/index.md
+++ b/content/en/news/releases/1.4.x/announcing-1.4.7/index.md
@ -0,0 +1,25 @@
 ---
 title: Announcing Istio 1.4.7
 linktitle: 1.4.7
 subtitle: Patch Release
 description: Istio 1.4.7 patch release.
 publishdate: 2020-03-25
 release: 1.4.7
 aliases:
    - /news/announcing-1.4.7
 ---
 This release contains fixes for the security vulnerabilities described in [our March 25th, 2020 news post](/news/security/istio-security-2020-004). This release note describes what’s different between Istio 1.4.6 and Istio 1.4.7.
 {{< relnote >}}
 ## Security Update
 - **ISTIO-SECURITY-2020-004** Istio uses a hard coded `signing_key` for Kiali.
 __[CVE-2020-1764](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764)__: Istio uses a default `signing key` to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
 In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 [release](https://kiali.io/news/security-bulletins/kiali-security-001/).
 ## Changes
 - **Fixed** an issue causing protocol detection to break HTTP2 traffic to gateways ([Issue 21230](https://github.com/istio/istio/issues/21230)).
--- a/content/en/news/releases/1.5.x/announcing-1.5.1/index.md
+++ b/content/en/news/releases/1.5.x/announcing-1.5.1/index.md
@ -0,0 +1,46 @@
 ---
 title: Announcing Istio 1.5.1
 linktitle: 1.5.1
 subtitle: Patch Release
 description: Istio 1.5.1 patch release.
 publishdate: 2020-03-25
 release: 1.5.1
 aliases:
    - /news/announcing-1.5.1
 ---
 This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in [our March 25th, 2020 news post](/news/security/istio-security-2020-004). This release note describes what’s different between Istio 1.5.0 and Istio 1.5.1.
 {{< relnote >}}
 ## Security update
 - **ISTIO-SECURITY-2020-004** Istio uses a hard coded `signing_key` for Kiali.
 __[CVE-2020-1764](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764)__: Istio uses a default `signing key` to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
 In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 [release](https://kiali.io/news/security-bulletins/kiali-security-001/).
 ## Changes
 - **Fixed** Gateway Helm chart for Helm 3 ([Issue 22295](https://github.com/istio/istio/pull/22295))
 - **Fixed** an issue where Istio Operator instance deletion hangs for  in-cluster operator ([Issue 22280](https://github.com/istio/istio/issues/22280))
 - **Fixed** istioctl proxy-status should not list differences if just the order of the routes have changed ([Issue 21709](https://github.com/istio/istio/issues/21709))
 - **Fixed** Incomplete support for array notation in "istioctl manifest apply —set" ([Issue 20950](https://github.com/istio/istio/issues/20950))
 - **Fixed** Add possibility to add annotations to services in Kubernetes service spec ([Issue 21995](https://github.com/istio/istio/issues/21995))
 - **Fixed** Enable setting ILB Gateway using istioctl ([Issue 20033](https://github.com/istio/istio/issues/20033))
 - **Fixed** istioctl does not correctly set names on gateways ([Issue 21938](https://github.com/istio/istio/issues/21938))
 - **Fixed** OpenID discovery does not work with beta request authentication policy ([Issue 21954](https://github.com/istio/istio/issues/21954))
 - **Fixed** Issues related to shared control plane multicluster ([Issue 22173](https://github.com/istio/istio/pull/22173))
 - **Fixed** Ingress port displaying target port instead of actual port ([Issue 22125](https://github.com/istio/istio/issues/22125))
 - **Fixed** Issue where endpoints were being pruned automatically when installing the Istio Controller ([Issue 21495](https://github.com/istio/istio/issues/21495))
 - **Fixed** Add istiod port to gateways for mesh expansion([Issue 22027](https://github.com/istio/istio/issues/22027))
 - **Fixed** Multicluster secret controller silently ignoring updates to secrets ([Issue 18708](https://github.com/istio/istio/issues/18708))
 - **Fixed** Autoscaler for mixer-telemetry always being generated when deploying with istioctl or Helm ([Issue 20935](https://github.com/istio/istio/issues/20935))
 - **Fixed** Prometheus certificate provisioning is broken ([Issue 21843](https://github.com/istio/istio/issues/21843))
 - **Fixed** Segmentation fault in Pilot with beta mutual TLS ([Issue 21816](https://github.com/istio/istio/issues/21816))
 - **Fixed** Operator status enumeration not being rendered as a string ([Issue 21554](https://github.com/istio/istio/issues/21554))
 - **Fixed** in-cluster operator fails to install control plane after having deleted a prior control plane ([Issue 21467](https://github.com/istio/istio/issues/21467))
 - **Improved** Add option to enable V8 runtime for telemetry V2 ([Issue 21846](https://github.com/istio/istio/pull/21846))
 - **Improved** Add a simple helm chart to install operator ([Issue 21861](https://github.com/istio/istio/issues/21861))
 - **Improved** Support custom CA on istio-agent ([Issue 22113](https://github.com/istio/istio/pull/22113))
 - **Improved** Add a flag that supports passing GCP metadata to STS ([Issue 21904](https://github.com/istio/istio/issues/21904))
--- a/content/en/news/security/istio-security-2020-004/index.md
+++ b/content/en/news/security/istio-security-2020-004/index.md
@ -0,0 +1,60 @@
 ---
 title: ISTIO-SECURITY-2020-004
 subtitle: Security Bulletin
 description: Default Kiali security configuration allows full control of mesh.
 cves: [CVE-2020-1764]
 cvss: "8.7"
 vector: "AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"
 releases: ["1.4 to 1.4.6", "1.5"]
 publishdate: 2020-03-25
 keywords: [CVE]
 skip_seealso: true
 ---
 {{< security_bulletin >}}
 Istio 1.4 to 1.4.6 and Istio 1.5 contain the following vulnerability:
 * __[`CVE-2020-1764`](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1764)__:
  Istio uses a default `signing_key` for Kiali. This can allow an attacker to view and modify the Istio configuration.
    * CVSS Score: 8.7 [AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&version=3.1)
 In addition, another CVE is fixed in this release, described by this
 [Kiali security bulletin](https://kiali.io/news/security-bulletins/kiali-security-001/).
 ## Detection
 Your installation is vulnerable in the following configuration:
 * The Kiali version is 1.15 or earlier.
 * The Kiali login token and signing key is unset.
 To check your Kiali version, run this command:
 {{< text bash >}}
 $ kubectl get pods -n istio-system -l app=kiali -o yaml | grep image:
 {{< /text >}}
 To determine if your login token is unset, run this command and check for blank output:
 {{< text bash >}}
 $ kubectl get deploy kiali -n istio-system -o yaml | grep LOGIN_TOKEN_SIGNING_KEY
 {{< /text >}}
 To determine if your signing key is unset, run this command and check for blank output:
 {{< text bash >}}
 $ kubectl get cm kiali -n istio-system -o yaml | grep signing_key
 {{< /text >}}
 ## Mitigation
 * For Istio 1.4.x deployments: update to [Istio 1.4.7](/news/releases/1.4.x/announcing-1.4.7) or later.
 * For Istio 1.5.x deployments: update to [Istio 1.5.1](/news/releases/1.5.x/announcing-1.5.1) or later.
 * Workaround: You can manually update the signing key to a random token using the following command:
    {{< text bash >}}
    $ kubectl get cm kiali -n istio-system -o yaml | sed "s/server:/login_token:\\\n \
    signing_key: $(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)\\\nserver:/" \
    | kubectl apply -f - ; kubectl delete pod -l app=kiali -n istio-system
    {{< /text >}}