EUVD-2022-4952

Malicious code in bioql PyPI...

istio security update

istio 1.17.5-1 - Addresses CVE CVE-2023-35941, CVE-2023-35942, CVE-2023-35943, CVE-2023-35944. kubevirt 0.58.0-3 - Ensure that selinux build tags are set for all Go builds olcne 1.7.2-2 - Update kubevirt image versions fixing selinux=enforce not being supported 1.7.2-1 - Add Istio-1.17.5 and...

kubernetes security update

kubernetes 1.21.14-3 - Addresses CVE-2022-3294 & CVE-2022-3162 1.21.14-2 - Fixed kubernetes-cni version. 1.21.14-1 - Addresses CVE-2022-3172 olcne 1.4.9-2 - Fix 1.21 kubernetes version to align with last upstream release 1.4.9-1 - Resolve kubernetes CVE-2022-3294 & CVE-2022-3162 for version 1.21...

olcne istio istio security update

olcne 1.3.5-1 - Update Istio to 1.12.6prometheus-2.30.1, grafana-7.5.15 istio 1.12.6-1 - Addresses CVE-2022-24726, CVE-2022-24921 istio 1.11.4-1 - Added Oracle specific files for 1.11.4-1...

CVE-2022-24726

The CVE-2022-24726 entry affects Istio’s control plane (istiod) where a request processing error in the validating webhook, exposed publicly on TLS port 15017, can crash the control plane when a specially crafted message is processed. Affected versions have been patched in Istio releases 1.13.2, ...

CVE-2022-21701

Istio CVE-2022-21701 affects Istio releases 1.12.0 and 1.12.1. The issue is a privilege escalation via the Kubernetes Gateway API: users with CREATE permissions on gateways.gateway.networking.k8s.io can elevate privileges to create resources they wouldn’t normally access (e.g., Pod). Impact is li...

Mesh-Kridik - An Open-Source Security Checker That Performs Various Security Checks On A Kubernetes Cluster With Istio Service Mesh And Is Leveraged By OPA (Open Policy Agent) To Enforce Security Rules

Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security checker that performs various security checks on a Kubernetes cluster with istio service mesh and outputs a security report. The security checks tests are the full implementation of istio security best practic...

OSV-2021-1658 Null-dereference READ in istio.io/istio/security/pkg/util.ExtractJwtAud

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=42142 Crash type: Null-dereference READ Crash state: istio.io/istio/security/pkg/util.ExtractJwtAud...

GHSA-7774-7VR3-CC8J Authorization Policy Bypass Due to Case Insensitive Host Comparison

Impact According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy...

Authorization Policy Bypass Due to Case Insensitive Host Comparison

Impact According to RFC 4343, Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The Envoy proxy will route the request hostname in a case-insensitive way which means the authorization policy...

Exploit for Use of Hard-coded Credentials in Kiali

CVE-2020-1764 PoC Auth bypass PoC for Kiali 0.4.0 to 1.15.0 u...

CVE-2020-8843

An issue was discovered in Istio 1.3 through 1.3.6. Under certain circumstances, it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts the x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to a...