2.4 KiB
title | subtitle | description | cves | cvss | vector | releases | publishdate | keywords | skip_seealso | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ISTIO-SECURITY-2020-008 | Security Bulletin | Incorrect validation of wildcard DNS Subject Alternative Names. |
|
6.6 | AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C |
|
2020-07-09 |
|
true |
{{< security_bulletin >}}
Istio is vulnerable to a newly discovered vulnerability:
CVE-2020-15104
: When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of*.example.com
, Envoy incorrectly allowsnested.subdomain.example.com
, when it should only allowsubdomain.example.com
.- CVSS Score: 6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
Istio users are exposed to this vulnerability in the following ways:
-
Direct use of Envoy's
verify_subject_alt_name
andmatch_subject_alt_names
configuration via Envoy Filter. -
Use of Istio's
subjectAltNames
field in destination rules with client TLS settings. A destination rule with asubjectAltNames
field containingnested.subdomain.example.com
incorrectly accepts a certificate from an upstream peer with a Subject Alternative Name (SAN) of*.example.com
. Instead a SAN of*.subdomain.example.com
ornested.subdomain.example.com
should be present. -
Use of Istio's
subjectAltNames
in service entries. A service entry with asubjectAltNames
field with a value similar tonested.subdomain.example.com
incorrectly accepts a certificate from an upstream peer with a SAN of*.example.com
.
The Istio CA, which was formerly known as Citadel, does not issue certificates with DNS wildcard SANs. The vulnerability only impacts configurations that validate externally issued certificates.
Mitigation
- For Istio 1.5.x deployments: update to Istio 1.5.8 or later.
- For Istio 1.6.x deployments: update to Istio 1.6.5 or later.
{{< boilerplate "security-vulnerability" >}}