From aaeeb302e08cd7e64901bd5ed168fcf871b3f7e6 Mon Sep 17 00:00:00 2001 From: jacob-delgado Date: Tue, 11 Aug 2020 13:57:30 -0600 Subject: [PATCH] update docs to point to 1.6 release (#10) (#7914) (#7919) * Announcement for Istio 1.5.9 and Istio 1.6.8 * Fix istio version --- .spelling | 1 + .../releases/1.5.x/announcing-1.5.9/index.md | 22 +++++++ .../releases/1.6.x/announcing-1.6.8/index.md | 23 +++++++ .../security/istio-security-2020-009/index.md | 63 +++++++++++++++++++ 4 files changed, 109 insertions(+) create mode 100644 content/en/news/releases/1.5.x/announcing-1.5.9/index.md create mode 100644 content/en/news/releases/1.6.x/announcing-1.6.8/index.md create mode 100644 content/en/news/security/istio-security-2020-009/index.md diff --git a/.spelling b/.spelling index 24282dcda1..f512fce909 100644 --- a/.spelling +++ b/.spelling @@ -200,6 +200,7 @@ CVE-2020-12604 CVE-2020-12605 CVE-2020-13379 CVE-2020-15104 +CVE-2020-16844 CVEs cves cvss diff --git a/content/en/news/releases/1.5.x/announcing-1.5.9/index.md b/content/en/news/releases/1.5.x/announcing-1.5.9/index.md new file mode 100644 index 0000000000..592eca1414 --- /dev/null +++ b/content/en/news/releases/1.5.x/announcing-1.5.9/index.md @@ -0,0 +1,22 @@ +--- +title: Announcing Istio 1.5.9 +linktitle: 1.5.9 +subtitle: Patch Release +description: Istio 1.5.9 security release. +publishdate: 2020-08-11 +release: 1.5.9 +aliases: + - /news/announcing-1.5.9 +--- + +This release fixes the security vulnerability described in [our August 11th, 2020 news post](/news/security/istio-security-2020-009). + +These release notes describe what's different between Istio 1.5.8 and Istio 1.5.9. + +{{< relnote >}} + +## Security update + +- __[CVE-2020-16844](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16844)__: +Callers to TCP services that have a defined Authorization Policies with `DENY` actions using wildcard suffixes (e.g. `*-some-suffix`) for source principals or namespace fields will never be denied access. + - CVSS Score: 6.8 [AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1) diff --git a/content/en/news/releases/1.6.x/announcing-1.6.8/index.md b/content/en/news/releases/1.6.x/announcing-1.6.8/index.md new file mode 100644 index 0000000000..6f9ade92b5 --- /dev/null +++ b/content/en/news/releases/1.6.x/announcing-1.6.8/index.md @@ -0,0 +1,23 @@ +--- +title: Announcing Istio 1.6.8 +linktitle: 1.6.8 +subtitle: Patch Release +description: Istio 1.6.8 patch release. +publishdate: 2020-08-11 +release: 1.6.8 +aliases: + - /news/announcing-1.6.8 +--- + +This release fixes the security vulnerability described in [our August 11th, 2020 news post](/news/security/istio-security-2020-009). + +This release contains bug fixes to improve robustness. These release notes describe +what’s different between Istio 1.6.7 and Istio 1.6.8. + +{{< relnote >}} + +## Security update + +- __[CVE-2020-16844](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16844)__: +Callers to TCP services that have a defined Authorization Policies with `DENY` actions using wildcard suffixes (e.g. `*-some-suffix`) for source principals or namespace fields will never be denied access. + - CVSS Score: 6.8 [AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1) diff --git a/content/en/news/security/istio-security-2020-009/index.md b/content/en/news/security/istio-security-2020-009/index.md new file mode 100644 index 0000000000..0859a1446d --- /dev/null +++ b/content/en/news/security/istio-security-2020-009/index.md @@ -0,0 +1,63 @@ +--- +title: ISTIO-SECURITY-2020-009 +subtitle: Security Bulletin +description: Incorrect Envoy configuration for wildcard suffixes used for Principals/Namespaces in Authorization Policies for TCP Services. +cves: [CVE-2020-16844] +cvss: "6.8" +vector: "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" +releases: ["1.5 to 1.5.8", "1.6 to 1.6.7"] +publishdate: 2020-08-11 +keywords: [CVE] +skip_seealso: true +--- + +{{< security_bulletin >}} + +Istio is vulnerable to a newly discovered vulnerability: + +* __[`CVE-2020-16844`](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16844)__: +Callers to TCP services that have a defined Authorization Policies with `DENY` actions using wildcard suffixes (e.g. `*-some-suffix`) for source principals or namespace fields will never be denied access. + * CVSS Score: 6.8 [AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1) + +Istio users are exposed to this vulnerability in the following ways: + +If the user has an Authorization similar to + +{{< text yaml >}} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: foo + namespace: foo +spec: + action: DENY + rules: + - from: + - source: + principals: + - */ns/ns1/sa/foo # indicating any trust domain, ns1 namespace, foo svc account +{{< /text >}} + +Istio translates the principal (and `source.principal`) field to an Envoy level string match + +{{< text yaml >}} +stringMatch: + suffix: spiffe:///ns/ns1/sa/foo +{{< /text >}} + +which will not match any legitimate caller as it included the `spiffe://` string incorrectly. The correct string match should be + +{{< text yaml >}} +stringMatch: + regex: spiffe://.*/ns/ns1/sa/foo +{{< /text >}} + +Prefix and exact matches in `AuthorizationPolicy` is unaffected, as are ALLOW actions in them; HTTP is also unaffected. + +## Mitigation + +* For Istio 1.5.x deployments: update to [Istio 1.5.9](/news/releases/1.5.x/announcing-1.5.8) or later. +* For Istio 1.6.x deployments: update to [Istio 1.6.8](/news/releases/1.6.x/announcing-1.6.8) or later. +* Do not use suffix matching in DENY policies in the source principal or namespace field for TCP services and use Prefix and Exact matching where applicable. Where possible change TCP to HTTP for port name suffixes in your Services. + +{{< boilerplate "security-vulnerability" >}}