An insecure access control vulnerability was found in Istio. If an authorization policy is created for a TCP service that includes a DENY rule with a prefix wildcard, Istio translates this into an Envoy string match, incorrectly removing the wildcard. This flaw allows an attacker to subvert particular DENY rules, potentially gaining access to restricted resources.
In regards to an AuthorizationPolicy for a TCP service, if using a DENY rule in the source principal (or namespace field) such as:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
…
spec:
action: DENY
rules:
- from:
- source:
principals:
- */ns/servicemesh
Consider using an exact or suffix match instead such as:
- /foo/bar/ns/servicemesh