Added security advisory for gateway port change (#9459)

* Added security advisory for gateway port change Added a script that users can run to evaluate if any of their existing Authorization Policies need to be migrated. * Fix shell check errors * Fix shell check errors * Fix quotes * Code review fixups * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update content/en/news/security/istio-security-2021-002/index.md Co-authored-by: craigbox <craigbox@google.com> * Update index.md Co-authored-by: craigbox <craigbox@google.com>
2021-04-07 21:53:19 +05:30 · 2021-04-07 21:53:19 +05:30 · 9552d0e841
parent a163f12a50
commit 9552d0e841
2 changed files with 180 additions and 0 deletions
--- a/content/en/news/security/istio-security-2021-002/check.sh
+++ b/content/en/news/security/istio-security-2021-002/check.sh
@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eEuo pipefail
+
+RED='\033[0;31m'
+NC='\033[0m'
+
+INGRESS_LABEL="istio=ingressgateway"
+INGRESS_NAMESPACE="istio-system"
+
+INGRESS_LABEL_KEY=$(echo $INGRESS_LABEL | cut -d '=' -f 1)
+INGRESS_LABEL_VAL=$(echo $INGRESS_LABEL | cut -d '=' -f 2)
+
+ingress_pod=$(kubectl -n $INGRESS_NAMESPACE get pod \
+  -l $INGRESS_LABEL \
+  -o jsonpath='{.items[0].metadata.name}' || true)
+
+if [ -z "$ingress_pod" ]; then
+  echo "No ingress pod found in \"${INGRESS_NAMESPACE}\" with label selectors \"${INGRESS_LABEL}\""
+  exit 1
+fi
+
+echo "Inspecting Istio ingress gateway pod \"${ingress_pod}\" in \"${INGRESS_NAMESPACE}\" namespace"
+
+ingress_ports=$(istioctl proxy-config listeners \
+  "${ingress_pod}.${INGRESS_NAMESPACE}" \
+  | awk 'NR > 1 {print $2}')
+
+function check_port {
+  local policy_name=$1
+  local port=$2
+
+  local found=false
+  local ip
+  for ip in $ingress_ports; do
+    if [ "$ip" == "$port" ]; then
+      found=true
+      break
+    fi
+  done
+  if ! $found; then
+    echo -e "${RED} Authorization Policy \"${policy_name}\" has port \"${port}\" that needs to be migrated. ${NC}"
+  fi
+}
+
+authz_policies=$(kubectl -n $INGRESS_NAMESPACE get authorizationpolicies | awk 'NR > 1 {print $1}')
+echo -e "Checking Authorization Policies attached to \"$ingress_pod\"\n"
+
+for p in $authz_policies; do
+  policy=$(kubectl -n "${INGRESS_NAMESPACE}" get authorizationpolicy "${p}" -o json)
+  label_selector=$(echo "${policy}" |\
+    jq -r --arg KEY "$INGRESS_LABEL_KEY" '.spec.selector.matchLabels[$KEY]')
+  if [ "${label_selector}" != "${INGRESS_LABEL_VAL}" ]; then
+    continue
+  fi
+  policy_ports=$(echo "${policy}" | jq -r '.spec.rules[]|select(.to)|.to[]|.operation|select(.ports)|.ports[]')
+  policy_notports=$(echo "${policy}" | jq -r '.spec.rules[]|select(.to)|.to[]|.operation|select(.notPorts)|.notPorts[]')
+  for pp in $policy_ports; do
+    check_port "${p}" "${pp}"
+  done
+  for pp in $policy_notports; do
+    check_port "${p}" "${pp}"
+  done
+done
--- a/content/en/news/security/istio-security-2021-002/index.md
+++ b/content/en/news/security/istio-security-2021-002/index.md
@ -0,0 +1,102 @@
+---
+title: ISTIO-SECURITY-2021-002
+subtitle: Security Bulletin
+description: Upgrades from older Istio versions can affect access control to an ingress gateway due to a change of container ports.
+cves: [N/A]
+cvss: "N/A"
+vector: ""
+releases: ["All releases 1.6 and later"]
+publishdate: 2021-04-07
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+Upgrading from Istio versions 1.5 and prior, to 1.6 and later, may result in access control bypass:
+
+- **Incorrect gateway ports on authorization policies on upgrades**: In Istio
+versions 1.6 and later, the default container ports for Istio ingress
+gateways are updated from port "80" to "8080" and "443" to "8443" to allow
+[gateways to run as non-root](/news/releases/1.7.x/announcing-1.7/upgrade-notes/#gateways-run-as-non-root)
+by default. With this change, any existing authorization policies targeting
+an Istio ingress gateway on ports `80` and `443` need to be migrated to use the
+new container ports `8080` and `8443`, before upgrading to the listed versions.
+Failure to migrate may result in traffic reaching ingress gateway service
+ports `80` and `443` to be incorrectly allowed or blocked, thereby causing policy
+violations.
+
+Example of an authorization policy resource that needs to be updated:
+
+    {{< text yaml >}}
+    apiVersion: "security.istio.io/v1beta1"
+    kind: "AuthorizationPolicy"
+    metadata:
+      name: block-admin-access
+      namespace: istio-system
+    spec:
+      selector:
+        matchLabels:
+          istio: ingressgateway
+      action: DENY
+      rules:
+      -  to:
+        - operation:
+            paths: ["/admin"]
+            ports: [ "80" ]
+      -  to:
+        - operation:
+            paths: ["/admin"]
+            ports: [ "443" ]
+
+    {{< /text >}}
+
+The above policy in Istio versions 1.5 and prior will block all access to path
+`/admin` for traffic reaching an Istio ingress gateway on container ports `80`
+and `443`. On upgrading to Istio version 1.6 and later, this policy should
+be updated to the following to have the same effect:
+
+    {{< text yaml >}}
+    apiVersion: "security.istio.io/v1beta1"
+    kind: "AuthorizationPolicy"
+    metadata:
+      name: block-admin-access
+      namespace: istio-system
+    spec:
+      selector:
+        matchLabels:
+          istio: ingressgateway
+      action: DENY
+      rules:
+      -  to:
+        - operation:
+            paths: ["/admin"]
+            ports: [ "8080" ]
+      -  to:
+        - operation:
+            paths: ["/admin"]
+            ports: [ "8443"
+    {{< /text >}}
+
+## Mitigation
+
+- Update your authorization policies before upgrading to the
+affected Istio versions. You can use this [script](./check.sh)
+to check if any of the existing authorization policies
+attached to the default Istio ingress gateway in the `istio-system` namespace need
+to be updated. If you’re using a custom gateway installation, you can customize
+the script to run with parameters applicable to your environment.
+
+It is recommended to create a copy of your existing authorization
+policies, update the copied version to use new gateway workload ports, and
+apply both existing and updated policies in your cluster, before initiating
+the upgrade process. You should only delete the old policies after a
+successful upgrade, to ensure no policy violations occur on upgrade
+failures or rollbacks.
+
+## Credit
+
+We'd like to thank [Neeraj Poddar](https://twitter.com/nrjpoddar)
+for reporting this issue.
+
+{{< boilerplate "security-vulnerability" >}}