- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
- Application Service Mesh
- Buying a Service Mesh
- Mesh Management
- Service Management
- Gateway Management
- Grayscale Release
- Mesh Configuration
- Traffic Management
- Security
-
Best Practices
- Upgrading Data Plane Sidecars Without Service Interruption
- Service Governance for Dubbo-based Applications
- Reserving Source IP Address for Gateway Access
- Creating a Service Mesh with IPv4/IPv6 Dual Stack Enabled
- How Do I Query Application Metrics in AOM?
- Reducing the Agency Permissions of ASM Users
- Istio-ingressgateway HA Configuration
-
FAQs
- Service Mesh Cluster
-
Mesh Management
- Why Cannot I Create a Mesh for My Cluster?
- Why Are Exclusive Nodes Still Exist After Istio Is Uninstalled?
- How Do I Upgrade ICAgent?
- How Do I Enable Namespace Injection for a Cluster?
- How Do I Disable Sidecar Injection for Workloads?
- What Can I Do If A Pod Cannot Be Started Due to Unready Sidecar
- How Do I Handle a Canary Upgrade Failure?
-
Adding a Service
- What Do I Do If an Added Gateway Does Not Take Effect?
- Why Does It Take a Long Time to Start the Demo Application in Experiencing Service Mesh in One Click?
- Why Cannot I Access the page of the Demo Application After It Is Successfully Deployed?
- Why Cannot I Select the Corresponding Service When Adding a Route?
- How Do I Inject a Sidecar for the Pod Created Using a Job or CronJob?
- Performing Grayscale Release
-
Managing Traffic
- Why Are the Created Clusters, Namespaces, and Applications Not Displayed on the Traffic Management Page?
- How Do I Change the Resource Requests of the istio-proxy Container?
- Does ASM Support HTTP/1.0?
- How Can I Block Access from Some IP Address Ranges or Ports for a Service Mesh?
- How Do I Configure max_concurrent_streams for a Gateway?
- How Do I Fix Compatibility Issues Between Istio CNI and Init Containers?
-
Monitoring Traffic
- Why Cannot I View Traffic Monitoring Data Immediately After a Pod Is Started?
- Why Are the Latency Statistics on the Dashboard Page Inaccurate?
- Why Is the Traffic Ratio Inconsistent with That in the Traffic Monitoring Chart?
- Why Can't I Find Certain Error Requests in Tracing?
- Why Cannot I Find My Service in the Traffic Monitoring Topology?
- How Do I Connect a Service Mesh to Jaeger or Zipkin for Viewing Traces?
- Videos
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Getting Started
- User Guide
-
FAQs
- Service Mesh Cluster
- Mesh Management
-
Adding a Service
- What Do I Do If an Added Gateway Does Not Take Effect?
- Why Does It Take a Long Time to Start the Demo Application in Experiencing Service Mesh in One Click?
- Why Cannot I Access the page of the Demo Application After It Is Successfully Deployed?
- Why Cannot I Select the Corresponding Service When Adding a Route?
- Performing Grayscale Release
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
Istiod TLS Certificate and Private Key Abuse (CVE-2021-34824)
Description
Vulnerability Type |
CVE-ID |
Discovered |
---|---|---|
TLS certificate and key abuse |
CVE-2021-34824 |
2021-06-24 |
Impact Score
9.1 (high risk)
Trigger Conditions
Your cluster will be impacted if the following conditions are met:
- The Istio version is 1.8.x, 1.10.0-1.110.1, or 1.9.0-1.9.5.
- The credentialName field is defined in Gateways or DestinationRules.
- The Istiod flag is not set to PILOT_ENABLE_XDS_CACHE=false.
Root Cause
Istio Gateway and DestinationRule can load private keys and certificates from Kubernetes secrets through the credentialName configuration. For Istio 1.8 and later versions, secrets are transferred from Istiod to gateways or workloads through the XDS API.
In the above approach, a gateway or workload deployment should only be able to access credentials (TLS certificates and private keys) stored in the Kubernetes secrets within its namespace. However, a bug in Istiod permits an authorized client the ability to access and retrieve any TLS certificate and private key cached in Istiod.
Affected Versions
For details, see Trigger Conditions.
Patches
- ASM 1.8.4-r5 or later
- Istio 1.10.2 or later
- Istio 1.9.6 or later
Workarounds
Update your cluster to the latest version. If an upgrade is not feasible, this vulnerability can be mitigated by disabling Istiod caching. Caching is disabled by setting an Istiod environment variable PILOT_ENABLE_XDS_CACHE=false. However, system and Istiod performance may be impacted as this disables XDS caching.
Helpful Links
- Istio official website: Summary of Security Issues
- CVE Vulnerability Notice
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot