Istiod TLS Certificate and Private Key Abuse (CVE-2021-34824)
Description
|
Vulnerability Type |
CVE-ID |
Discovered |
|---|---|---|
|
TLS certificate and key abuse |
CVE-2021-34824 |
2021-06-24 |
Impact Score
9.1 (high risk)
Trigger Conditions
Your cluster will be impacted if the following conditions are met:
- The Istio version is 1.8.x, 1.10.0-1.110.1, or 1.9.0-1.9.5.
- The credentialName field is defined in Gateways or DestinationRules.
- The Istiod flag is not set to PILOT_ENABLE_XDS_CACHE=false.
Root Cause
Istio Gateway and DestinationRule can load private keys and certificates from Kubernetes secrets through the credentialName configuration. For Istio 1.8 and later versions, secrets are transferred from Istiod to gateways or workloads through the XDS API.
In the above approach, a gateway or workload deployment should only be able to access credentials (TLS certificates and private keys) stored in the Kubernetes secrets within its namespace. However, a bug in Istiod permits an authorized client the ability to access and retrieve any TLS certificate and private key cached in Istiod.
Affected Versions
For details, see Trigger Conditions.
Patches
- ASM 1.8.4-r5 or later
- Istio 1.10.2 or later
- Istio 1.9.6 or later
Workarounds
Update your cluster to the latest version. If an upgrade is not feasible, this vulnerability can be mitigated by disabling Istiod caching. Caching is disabled by setting an Istiod environment variable PILOT_ENABLE_XDS_CACHE=false. However, system and Istiod performance may be impacted as this disables XDS caching.
Helpful Links
- Istio official website: Summary of Security Issues
- CVE Vulnerability Notice
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
