CVE-2024-8901

Name of the Vulnerable Software and Affected Versions: AWS ALB Route Directive Adapter For Istio (affected versions not specified)

Description: The issue concerns a lack of proper signer and issuer validation in the JWT authentication mechanism used by the AWS ALB Route Directive Adapter For Istio. This allows an actor to provide a JWT signed by an untrusted entity, potentially spoofing OIDC-federated sessions and bypassing authentication in deployments where ALB targets are directly exposed to internet traffic. The repository has been deprecated and is no longer supported. As a security best practice, it is recommended to ensure ELB targets do not have public IP addresses.

Recommendations: As a temporary workaround, consider validating that the signer attribute in the JWT matches the ARN of the Application Load Balancer that the service is configured to use. Ensure any forked or derivative code implements proper signer and issuer validation for JWT authentication. Restrict access to ELB targets, such as EC2 Instances or Fargate Tasks, to minimize the risk of exploitation by not assigning them public IP addresses. At the moment, there is no information about a newer version that contains a fix for this vulnerability.