Yangminzhu

**Name of the Vulnerable Software and Affected Versions** Istio versions 1.12.0 through 1.12.1 **Description** The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. This issue occurs due to a bug in the 1.12.0 and 1.12.1 versions that incorrectly uses the new Envoy API with the 1.11 data plane, causing the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. **Recommendations** To resolve the issue, users are advised to upgrade to a version that does not have this bug. For versions 1.12.0 and 1.12.1, do not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.

**Name of the Vulnerable Software and Affected Versions** Istio versions prior to 1.11.1 Istio versions prior to 1.10.4 Istio versions prior to 1.9.8 **Description** Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. For example, an authorization policy that rejects requests with hostname "httpbin.foo" for some source IPs can be bypassed by sending the request with hostname "Httpbin.Foo". **Recommendations** For versions prior to 1.11.1, update to Istio 1.11.1 or later. For versions prior to 1.10.4, update to Istio 1.10.4 or later. For versions prior to 1.9.8, update to Istio 1.9.8 or later. As a temporary workaround, consider writing a Lua filter to normalize the `Host` header before the authorization check.

**Name of the Vulnerable Software and Affected Versions** Istio versions 1.11.0, 1.10.3 and below, and 1.9.7 and below Istio versions prior to 1.11.1, 1.10.4, and 1.9.8 **Description** Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. A remotely exploitable issue exists where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. **Recommendations** For Istio versions 1.11.0 and below, update to version 1.11.1 or above. For Istio versions 1.10.3 and below, update to version 1.10.4 or above. For Istio versions 1.9.7 and below, update to version 1.9.8 or above. As a temporary workaround, consider writing a Lua filter to normalize the path.