CVE-2020-16844

Name of the Vulnerable Software and Affected Versions: Istio versions 1.5.0 through 1.5.8 Istio versions 1.6.0 through 1.6.7

Description: The issue is related to insufficient access control in the Istio network software. It may allow a remote attacker to impact the confidentiality and integrity of protected information by using the AuthorizationPolicy resource with DENY actions. Specifically, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.

Recommendations: For Istio versions 1.5.0 through 1.5.8, consider updating to a version outside of this range to mitigate the risk. For Istio versions 1.6.0 through 1.6.7, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting the use of wildcard suffixes in AuthorizationPolicy resources to minimize the risk of exploitation. Avoid using the AuthorizationPolicy resource with DENY actions and wildcard suffixes for source principals or namespace fields until the issue is resolved.