CVE-2022-21679

Name of the Vulnerable Software and Affected Versions Istio versions 1.12.0 through 1.12.1

Description The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. This issue occurs due to a bug in the 1.12.0 and 1.12.1 versions that incorrectly uses the new Envoy API with the 1.11 data plane, causing the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane.

Recommendations To resolve the issue, users are advised to upgrade to a version that does not have this bug. For versions 1.12.0 and 1.12.1, do not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.