Istio announces pair of vulnerabilities, and matching pair of updates to fix them

Service mesh

The Istio team has rushed a brace of updates to plug vulnerabilities in Envoy, the high-performance proxy which is central to the service mesh.

Users are advised to update to the new versions immediately. There is one update for 1.1.x deployments in the shape of Istio 1.1.2, while 1.0.x deployments should upgrade to 1.0.7.

According to Istio, “The vulnerabilities are centered on the fact that Envoy did not normalize HTTP URI paths and did not fully validate HTTP/1.1 header values. These vulnerabilities impact Istio features that rely on Envoy to enforce any of authorization, routing, or rate limiting.”

The vulnerabilities could allow remote hackers to access unauthorised resources with specially crafted request URI paths and NUL bytes in HTTP/1.1 headers, by potentially circumventing DoS prevention systems or routing to an unexposed upstream system.

Advertisement

Istio said “customers can be affected by these vulnerabilities based on whether paths and request headers are used within Istio policies or routing rules and how the backend HTTP implementation resolves them. If prefix path matching rules are used by Mixer or by Istio authorization policies or the routing rules, an attacker could exploit these vulnerabilities to gain access to unauthorized paths on certain HTTP backends.

The NUL header exploit should only affect HTTP/1/1 traffic, Istio added, so if you configuration doesn’t feature such traffic, you shouldn’t be concerned. If you are exposed, Istio’s announcement suggests there is “trivial detection via Envoy’s access logs by scanning for NUL”, but rather “operators might look for inconsistencies in logs between the routing that Envoy performs and the logic intended in the RouteConfiguration.”

Likewise, the announcement suggests that detecting the path traversal exploit should be possible by scanning Envoy’s access lots for suspicious patterns and “requests that are incongruous with the intended operator configuration intent.”

- Advertisement -