istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[master] Small fixes for GOLDPANDA. (#9738) 

* Small fixes for GOLDPANDA.

* Small format fix.

Co-authored-by: Oliver Liu <yonggangl@google.com>
This commit is contained in:
Istio Automation 2021-05-13 15:11:39 -07:00 committed by GitHub
parent 73d70ed49e
commit ddd2221adc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 44 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
content/en/docs/ops/best-practices/security/index.md
View File

@ -59,6 +59,11 @@ before evaluating against the authorization policies and routing the requests:
| `MERGE_SLASHES` | Slashes are merged after the _BASE_ normalization. | `/a//b` is normalized to `/a/b`. |
| `DECODE_AND_MERGE_SLASHES` | The most strict setting when you allow all traffic by default. This setting is recommended, with the caveat that you will need to thoroughly test your authorization policies routes. [Percent-encoded](https://tools.ietf.org/html/rfc3986#section-2.1) slash and backslash characters (`%2F`, `%2f`, `%5C` and `%5c`) are decoded to `/` or `\`, before the `MERGE_SLASHES` normalization. | `/a%2fb` is normalized to `/a/b`. |
{{< tip >}}
The configuration is specified via the [`pathNormalization`](/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ProxyPathNormalization)
field in the the [mesh config](/docs/reference/config/istio.mesh.v1alpha1/).
{{< /tip >}}
To emphasize, the normalization algorithms are conducted in the following order:
1. Percent-decode `%2F`, `%2f`, `%5C` and `%5c`.
@ -87,10 +92,9 @@ The normalized URL paths, or the original URL paths if _NONE_ is selected, will
| Normalizes request paths based on [RFC 3986](https://tools.ietf.org/html/rfc3986), decodes [percent-encoded](https://tools.ietf.org/html/rfc3986#section-2.1) slashes and merges slashes | `DECODE_AND_MERGE_SLASHES` |
| Processes request paths in a way that is incompatible with [RFC 3986](https://tools.ietf.org/html/rfc3986) | `NONE` |
#### How to configure
### How to configure
You specify the normalization by directly editing the [mesh config](/docs/reference/config/istio.mesh.v1alpha1/).
You need to manually edit the mesh config to specify this option:
You can use `istioctl` to update the [mesh config](/docs/reference/config/istio.mesh.v1alpha1/):
{{< text bash >}}
$ istioctl upgrade --set meshConfig.pathNormalization.normalization=DECODE_AND_MERGE_SLASHES
@ -110,6 +114,21 @@ or by altering your operator overrides file
$ istioctl install -f iop.yaml
{{< /text >}}
Alternatively, if you want to directly edit the mesh config,
you can add the [`pathNormalization`](/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ProxyPathNormalization)
to the [mesh config](/docs/reference/config/istio.mesh.v1alpha1/), which is the `istio-<REVISION_ID>` configmap in the `istio-system` namespace.
For example, if you choose the `DECODE_AND_MERGE_SLASHES` option, you modify the mesh config as the following:
{{< text yaml >}}
apiVersion: v1
data:
mesh: |-
...
pathNormalization:
normalization: DECODE_AND_MERGE_SLASHES
...
{{< /text >}}
### Less common normalization configurations
#### Case Normalization

22
content/en/news/releases/1.8.x/announcing-1.8.6/index.md
View File

@ -19,30 +19,32 @@ This is the final release of 1.8. Please upgrade your Istio installation to a su
## Security update
The following 2 CVEs are highly related.
{{< tip >}}
The first 2 CVEs are highly related.
{{< /tip >}}
- __[CVE-2021-31920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31920)__:
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (`%2F` or `%5C`) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the [ISTIO-SECURITY-2021-005 bulletin](/news/security/istio-security-2021-005) for more details.
- __CVSS Score__: 8.1 [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
- __[CVE-2021-29492](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29492)__:
Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms.
- __CVSS Score__: 8.3
- __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
- __[CVE-2021-31921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31921)__:
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration. See the [ISTIO-SECURITY-2021-006 bulletin](/news/security/istio-security-2021-006) for more details.
- __CVSS Score__: 10.0 [AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- __CVSS Score__: 10.0 [AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
## Changes
**Added** [security best practice for authorization policies](/docs/ops/best-practices/security/#authorization-policies)
- **Added** [security best practice for authorization policies](/docs/ops/best-practices/security/#authorization-policies)
**Fixed** istiod so it will no longer generate listeners for privileged gateway ports (<1024) if the gateway Pod does not have sufficient permissions. [Issue 27566](https://github.com/istio/istio/issues/27566)
- **Fixed** istiod so it will no longer generate listeners for privileged gateway ports (<1024) if the gateway Pod does not have sufficient permissions. [Issue 27566](https://github.com/istio/istio/issues/27566)
**Fixed** an issue where transport socket parameters are now taken into account when configured in `EnvoyFilter`. [Issue 28996](https://github.com/istio/istio/issues/28996)
- **Fixed** an issue where transport socket parameters are now taken into account when configured in `EnvoyFilter`. [Issue 28996](https://github.com/istio/istio/issues/28996)
**Fixed** `PeerAuthentication` to not turn off mTLS while using multi-network, non-mTLS endpoints from the cross-network load-balancing endpoints to prevent 500 errors. [Issue 28798](https://github.com/istio/istio/issues/28798)
- **Fixed** `PeerAuthentication` to not turn off mTLS while using multi-network, non-mTLS endpoints from the cross-network load-balancing endpoints to prevent 500 errors. [Issue 28798](https://github.com/istio/istio/issues/28798)
**Fixed** a bug causing runaway logs in istiod after disabling the default ingress controller. [Issue 31336](https://github.com/istio/istio/issues/31336)
- **Fixed** a bug causing runaway logs in istiod after disabling the default ingress controller. [Issue 31336](https://github.com/istio/istio/issues/31336)
**Fixed** the Kubernetes API server so it is now considered to be cluster-local by default . This means that any pod attempting to reach `kubernetes.default.svc` will always be directed to the in-cluster server. [Issue 31340](https://github.com/istio/istio/issues/31340)
- **Fixed** the Kubernetes API server so it is now considered to be cluster-local by default . This means that any pod attempting to reach `kubernetes.default.svc` will always be directed to the in-cluster server. [Issue 31340](https://github.com/istio/istio/issues/31340)
**Fixed** Istio operator to prune resources that do not belong to the specific Istio operator CR. [Issue 30833](https://github.com/istio/istio/issues/30833)
- **Fixed** Istio operator to prune resources that do not belong to the specific Istio operator CR. [Issue 30833](https://github.com/istio/istio/issues/30833)

14
content/en/news/releases/1.9.x/announcing-1.9.5/index.md
View File

@ -15,18 +15,20 @@ This release fixes the security vulnerabilities described in our May 11th posts,
## Security update
The following 2 CVEs are highly related.
{{< tip >}}
The first 2 CVEs are highly related.
{{< /tip >}}
- __[CVE-2021-31920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31920)__:
Istio contains a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (`%2F` or `%5C`) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the [ISTIO-SECURITY-2021-005 bulletin](/news/security/istio-security-2021-005) for more details.
- __CVSS Score__: 8.1 [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
- __[CVE-2021-29492](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29492)__:
Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms.
- __CVSS Score__: 8.3
Envoy contains a remotely exploitable vulnerability where an HTTP request with escaped slash characters can bypass Envoy's authorization mechanisms.
- __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
- __[CVE-2021-31921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31921)__:
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration. See the [ISTIO-SECURITY-2021-006 bulletin](/news/security/istio-security-2021-006) for more details.
- __CVSS Score__: 10.0 [AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Istio contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration. See the [ISTIO-SECURITY-2021-006 bulletin](/news/security/istio-security-2021-006) for more details.
- __CVSS Score__: 10.0 [AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
## Changes
**Added** [security best practice for authorization policies](/docs/ops/best-practices/security/#authorization-policies)
- **Added** [security best practice for authorization policies](/docs/ops/best-practices/security/#authorization-policies)

2
content/en/news/security/istio-security-2021-005/index.md
View File

@ -1,7 +1,7 @@
---
title: ISTIO-SECURITY-2021-005
subtitle: Security Bulletin
description:
description: HTTP request paths with multiple slashes or escaped slash characters may bypass path based authorization rules.
cves: [CVE-2021-31920]
cvss: "8.1"
vector: "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"

2
content/en/news/security/istio-security-2021-006/index.md
View File

@ -1,7 +1,7 @@
---
title: ISTIO-SECURITY-2021-006
subtitle: Security Bulletin
description:
description: An external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with `AUTO_PASSTHROUGH` routing configuration.
cves: [CVE-2021-31921]
cvss: "10"
vector: "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"