With the last security fix just a couple of days old, the Istio team recently pushed out version 1.5.8 and 1.6.5 to protect users from another Envoy vulnerability that can be exploited in a couple of ways. 

Istio uses Envoy for its data plane, which makes it susceptible to security issues in the proxy. The newly reported vulnerability has been assigned the ID CVE-2020-15104 and comes into play when the Envoy proxy validates TLS certificates. In those cases it “incorrectly allows a wildcard DNS Subject Alternative Name apply to multiple subdomains” – letting, for example, nested.subdomain.example.com be used, when only subdomain.example.com should be.

This can expose Istio users in a number of scenarios, though only if configurations are used that validate externally issued certificates. Starting points for connected attacks can be via Envoy Filter’s verify_subject_alt_name and match_subject_alt_names configuration, and Istio’s subjectAltNames field in destination rules with client TLS settings or service entries.

Additional details aren’t available yet, though it is already known that CVE-2020-15104 has been rated a severity of 6.6. It mostly impacts confidentiality and affects all releases older than 1.5, as well as versions 1.5 to 1.5.7 and 1.6 to 1.6.4.  

The Istio team also took its chance to sprinkle some additional improvements into the patch release, which is why the release notes for 1.6.5 especially are a bit longer than usual. The latter for example makes sure that istioctl validate forbids fields not included in the Open API specifications and includes some improvements to sidecar injection control. 

It also fixes EDS endpoint selection for subsets with no or empty label selector and returns  “the proper source name after Mixer does a lookup by IP if multiple pods have the same IP”. A complete list of the issues tackled in the new versions can be found on the project site.