An unauthorized access vulnerability was found in Istio in the servicemesh-proxy. An attacker can use this flaw to specify an HTTP path and gain unauthorized access, even if the path is configured to only be accessed with a valid JSON Web Token (JWT).
Depending on the paths used in the exact match clause, it is possible to update the path to a regex.
As provided by the Istio Product Committee, the following mitigation can be employed.
The original policy specifying a JWT protected path is as follows:
-–
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "jwt-example"
namespace: istio-system
spec:
targets:
- name: istio-ingressgateway
origins:
- jwt:
issuer: "[email protected]"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json";
trigger_rules:
- included_paths:
- exact: /productpage
The exact path definition can then be updated to a regular expression:
-–
- jwt:
issuer: "[email protected]"
jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json";
trigger_rules:
- included_paths:
- regex: '/productpage(?.)?'
- regex: '/productpage(#.)?'