CVE-2021-39155

Name of the Vulnerable Software and Affected Versions Istio versions prior to 1.11.1 Istio versions prior to 1.10.4 Istio versions prior to 1.9.8

Description Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. For example, an authorization policy that rejects requests with hostname "httpbin.foo" for some source IPs can be bypassed by sending the request with hostname "Httpbin.Foo".

Recommendations For versions prior to 1.11.1, update to Istio 1.11.1 or later. For versions prior to 1.10.4, update to Istio 1.10.4 or later. For versions prior to 1.9.8, update to Istio 1.9.8 or later. As a temporary workaround, consider writing a Lua filter to normalize the Host header before the authorization check.