istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix CVE-2019-12995 blog post (#4584) 

* Address @geeknoid comments

* Address @sdake 's comments

* Update content/blog/2019/cve-2019-12995/index.md
This commit is contained in:
Francois Pesce 2019-06-29 02:13:44 -07:00 committed by Joshua Blatt
parent 65b2cb5fce
commit 9a94b59061
1 changed files with 20 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
content/blog/2019/cve-2019-12995/index.md
View File

@ -1,16 +1,24 @@
A bug in Istios JWT validation filter causes Istio Proxy to crash in certain cases when the request contains a malformed JWT token. The bug was discovered and reported by a user [on GitHub](https://github.com/istio/istio/issues/15084) on June 23, 2019.
---
title: Security Update - CVE-2019-12995
description: Security vulnerability disclosure for CVE-2019-12995.
publishdate: 2019-06-28
attribution: The Istio Team
keywords: [CVE]
---
A bug in Istios JWT validation filter causes Envoy to crash in certain cases when the request contains a malformed JWT token. The bug was discovered and reported by a user [on GitHub](https://github.com/istio/istio/issues/15084) on June 23, 2019.
This bug affects all versions of Istio that are using the JWT authentication policy.
The symptoms of the bug is an HTTP 503 error seen by the client, and
The symptoms of the bug are an HTTP 503 error seen by the client, and
{{< text text >}}
{{< text plain >}}
Epoch 0 terminated with an error: signal: segmentation fault (core dumped)
{{< /text >}}
in the Envoy logs.
The Envoy crash can be triggered using a malformed JWT without a valid signature, and on any URI being accessed regardless of the trigger\_rules in the JWT specification. Thus, this bug makes the Istio proxy vulnerable to a potential DoS attack.
The Envoy crash can be triggered using a malformed JWT without a valid signature, and on any URI being accessed regardless of the `trigger_rules` in the JWT specification. Thus, this bug makes Envoy vulnerable to a potential DoS attack.
This vulnerability is referred to as [CVE 2019-12995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12995)
@ -28,15 +36,20 @@ Overall CVSS score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C](http
## Vulnerability impact and Detection
The Istio proxy is vulnerable if the following two conditions are satisfied:
Envoy is vulnerable if the following two conditions are satisfied:
* A JWT authentication policy is applied to it.
* The JWT issuer (specified by `jwksUri`) uses RSA algorithm for signature verification (Note the bug is just triggered in this condition and have nothing to do with the RSA algorithm)
* The JWT issuer (specified by `jwksUri`) uses the RSA algorithm for signature verification
{{< tip >}}
The RSA algorithm used for signature verification does not contain any known security vulnerability. This CVE is triggered only when using this algorithm but is unrelated to the security of the system.
{{< /tip >}}
If JWT policy is applied to the Istio ingress gateway, please be aware that any external user who has access to the ingress gateway could crash it with a single HTTP request.
If JWT policy is applied to the sidecar only, please keep in mind it might still be vulnerable. For example, the Istio ingress gateway might forward the JWT token to the sidecar which could be a malformed JWT token that crashes the sidecar.
A vulnerable Istio proxy will crash on an HTTP request with a malformed JWT token. When Istio proxy crashes, all existing connections will be disconnected immediately. The pilot-agent will restart the crashed Istio proxy automatically and it may take a few seconds to a few minutes for the restart. pilot-agent will stop restarting the Istio proxy after it crashed more than 10 times. In this case, Kubernetes will redeploy the pod (including the workload behind Istio proxy).
A vulnerable Envoy will crash on an HTTP request with a malformed JWT token. When Envoy crashes, all existing connections will be disconnected immediately. The `pilot-agent` will restart the crashed Envoy automatically and it may take a few seconds to a few minutes for the restart. pilot-agent will stop restarting Envoy after it crashed more than ten times. In this case, Kubernetes will redeploy the pod, including the workload behind Envoy.
To detect if there is any JWT authentication policy applied in your cluster, run the following command which print either of the following output:
* Found JWT in authentication policy, **YOU ARE AFFECTED**