一、漏洞简介¶
1.1 漏洞背景¶
Istio 的授权策略支持基于 URL 路径的访问控制。管理员可以配置允许或拒绝特定路径的访问。然而,URL 路径的规范化(normalization)问题可能导致攻击者通过使用多重斜杠或编码斜杠来绕过授权策略。
1.2 漏洞概述(包含 CVE 编号、危害等级、漏洞类型、披露时间等)¶
| 项目 | 内容 |
|---|---|
| 漏洞编号 | CVE-2021-31920 |
| 危害等级 | MEDIUM / 6.5 |
| 漏洞类型 | 多重斜杠路径绕过授权策略 |
| 披露时间 | 2021-05-27 |
| 影响组件 | Istio |
- CVE编号: CVE-2021-31920
- 危害等级: 高危 (High)
- CVSS评分: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
- 漏洞类型: 授权绕过 (Authorization Bypass)
- 相关 CVE: CVE-2021-29492 (Envoy)
补充核验信息:公开时间:2021-05-27;NVD 评分:6.5(MEDIUM);CWE:CWE-706。
二、影响范围¶
2.1 受影响的版本¶
- Istio 1.8.0 - 1.8.5
- Istio 1.9.0 - 1.9.4
- Istio 1.8.6 之前的所有版本
2.2 不受影响的版本¶
- Istio 1.8.6 及更高版本
- Istio 1.9.5 及更高版本
2.3 触发条件(如特定模块、特定配置、特定运行环境等)¶
- 使用了 AuthorizationPolicy 并配置了 paths 或 notPaths 字段
- 使用 DENY action + paths,或 ALLOW action + notPaths 模式
- 后端应用对路径进行规范化处理(合并多重斜杠)
三、漏洞详情与原理解析¶
3.1 漏洞触发机制¶
当管理员配置如下策略来拒绝访问 /admin 路径:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-admin-path
spec:
action: DENY
rules:
- to:
- operation:
paths: ["/admin"]
攻击者可以使用以下方式绕过:
//admin (多重斜杠)
/./admin (当前目录标记)
/admin/ (添加尾部斜杠)
/%2Fadmin (URL 编码的斜杠)
/%5Cadmin (反斜杠编码)
虽然 RFC 3986 规定 //admin 和 /admin 是不同的路径,但许多后端应用会规范化这些路径,将多重斜杠合并为单个斜杠。这导致:
- Istio 看到
//admin,认为与策略中的/admin不匹配,允许通过 - 请求到达后端应用
- 后端应用将
//admin规范化为/admin - 攻击者成功访问了应该被拒绝的资源
3.2 源码层面的根因分析(结合源码与补丁对比)¶
问题在于 Envoy 的路径匹配机制。Istio 生成的 Envoy 配置使用了精确的路径匹配:
// istio/pilot/pkg/networking/core/v1alpha3/filters_builder.go
// 简化的漏洞代码逻辑
func buildRBACFilter(policy *AuthorizationPolicy) *http.RBAC {
for _, rule := range policy.Spec.Rules {
for _, operation := range rule.To {
for _, path := range operation.Operation.Paths {
// 问题:直接使用路径进行匹配,没有考虑规范化
rbacRule.Paths = append(rbacRule.Paths, &matcher.StringMatcher{
MatchPattern: &matcher.StringMatcher_Exact{
Exact: path, // 精确匹配,不考虑等价路径
},
})
}
}
}
return rbac
}
修复后的代码添加了路径规范化:
```go // 修复后的代码 func buildRBACFilter(policy AuthorizationPolicy) http.RBAC { for , rule := range policy.Spec.Rules { for , operation := range rule.To { for _, path := range operation.Operation.Paths {
四、漏洞复现(可选)¶
4.1 环境搭建¶
暂无公开可验证复现信息。
4.2 PoC 演示与测试过程¶
暂无公开可验证复现信息。
五、修复建议与缓解措施¶
5.1 官方版本升级建议¶
- 优先升级到 1.8.6 或同等后续安全版本。
- 优先升级到 1.9.5 或同等后续安全版本。
- 升级前请结合官方发布说明确认兼容性与回滚方案。
5.2 临时缓解方案(如修改配置文件、关闭相关模块、增加 WAF 规则等)¶
- 在完成版本升级前,建议将相关服务限制在可信网络边界内,并最小化暴露面。
- 对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。
六、参考信息 / 参考链接¶
6.1 官方安全通告¶
- https://istio.io/latest/news/security/istio-security-2021-005/
6.2 其他技术参考资料¶
- NVD:https://nvd.nist.gov/vuln/detail/CVE-2021-31920
- CVE:https://www.cve.org/CVERecord?id=CVE-2021-31920
- https://istio.io/latest/news/security/istio-security-2021-005/
Istio ???????CVE-2021-31921?¶
??????¶
1.1 ????¶
Istio ???????????? CVE-2021-31921 ??????????????????????? CRITICAL?CVSS 9.8?
1.2 ??????? CVE ???????????????????¶
| ?? | ?? |
|---|---|
| ???? | CVE-2021-31921 |
| ???? | CRITICAL |
| CVSS ?? | 9.8 |
| ???? | CWE-862 |
| ???? | 2021-06-02 |
| ???? | Istio |
??????¶
2.1 ??????¶
istio:istio:*, < 1.8.6istio:istio:*, >= 1.9.0, < 1.9.5
2.2 ???????¶
- NVD / CISA ????????????????????????????????????????
2.3 ????????????????????????¶
- ????????????????????????
- ?????????????????????????????????????
???????????¶
3.1 ??????¶
- NVD ?????Istio before 1.8.6 and 1.9.x before 1.9.5 contains a remotely exploitable vulnerability where an external client can access unexpected services in the cluster, bypassing authorization checks, when a gateway is configured with AUTO_PASSTHROUGH routing configuration.
- ??????????????????????????? PoC ???
3.2 ????????????????????¶
- ?????????????CWE-862?
- NVD / CISA ???????????? diff???????????????????????????????
??????????¶
4.1 ????¶
- ??????????????????????????????????????????
4.2 PoC ???????¶
- ? CISA KEV ????????????????? KEV ????? PoC?
- ??????????????????????????????????????????
???????????¶
5.1 ????????¶
- ???????????????????????????
- ??????????????????????????????????????
5.2 ????????????????????????????¶
- ??????????????????????
- ???????????????????????? WAF ???
- ????????????????????????????
?????? / ????¶
- https://nvd.nist.gov/vuln/detail/CVE-2021-31921
- https://www.cve.org/CVERecord?id=CVE-2021-31921
- https://istio.io/latest/news/security/istio-security-2021-006/
Istio ???????CVE-2022-21679?¶
??????¶
1.1 ????¶
Istio ???????????? CVE-2022-21679 ??????????????????????? MEDIUM?CVSS 6.8?
1.2 ??????? CVE ???????????????????¶
| ?? | ?? |
|---|---|
| ???? | CVE-2022-21679 |
| ???? | MEDIUM |
| CVSS ?? | 6.8 |
| ???? | CWE-670 |
| ???? | 2022-01-19 |
| ???? | Istio |
??????¶
2.1 ??????¶
istio:istio:1.12.0istio:istio:1.12.1
2.2 ???????¶
- NVD / CISA ????????????????????????????????????????
2.3 ????????????????????????¶
- ????????????????????????
- ?????????????????????????????????????
???????????¶
3.1 ??????¶
- NVD ?????Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and...
- ??????????????????????????? PoC ???
3.2 ????????????????????¶
- ?????????????CWE-670?
- NVD / CISA ???????????? diff???????????????????????????????
??????????¶
4.1 ????¶
- ??????????????????????????????????????????
4.2 PoC ???????¶
- ? CISA KEV ????????????????? KEV ????? PoC?
- ??????????????????????????????????????????
???????????¶
5.1 ????????¶
- ???????????????????????????
- ??????????????????????????????????????
5.2 ????????????????????????????¶
- ??????????????????????
- ???????????????????????? WAF ???
- ????????????????????????????
?????? / ????¶
- https://nvd.nist.gov/vuln/detail/CVE-2022-21679
- https://www.cve.org/CVERecord?id=CVE-2022-21679
- https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv
- https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/
Istio ???????CVE-2022-31045?¶
??????¶
1.1 ????¶
Istio ???????????? CVE-2022-31045 ??????????????????????? HIGH?CVSS 7.0?
1.2 ??????? CVE ???????????????????¶
| ?? | ?? |
|---|---|
| ???? | CVE-2022-31045 |
| ???? | HIGH |
| CVSS ?? | 7.0 |
| ???? | CWE-125 |
| ???? | 2022-06-09 |
| ???? | Istio |
??????¶
2.1 ??????¶
istio:istio:*, < 1.12.8istio:istio:*, >= 1.13.0, < 1.13.5istio:istio:1.14.0
2.2 ???????¶
- NVD / CISA ????????????????????????????????????????
2.3 ????????????????????????¶
- ????????????????????????
- ?????????????????????????????????????
???????????¶
3.1 ??????¶
- NVD ?????Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to exte...
- ??????????????????????????? PoC ???
3.2 ????????????????????¶
- ?????????????CWE-125?
- NVD / CISA ???????????? diff???????????????????????????????
??????????¶
4.1 ????¶
- ??????????????????????????????????????????
4.2 PoC ???????¶
- ? CISA KEV ????????????????? KEV ????? PoC?
- ??????????????????????????????????????????
???????????¶
5.1 ????????¶
- ???????????????????????????
- ??????????????????????????????????????
5.2 ????????????????????????????¶
- ??????????????????????
- ???????????????????????? WAF ???
- ????????????????????????????
?????? / ????¶
- https://nvd.nist.gov/vuln/detail/CVE-2022-31045
- https://www.cve.org/CVERecord?id=CVE-2022-31045
- https://github.com/istio/istio/security/advisories/GHSA-xwx5-5c9g-x68x
- https://istio.io/latest/news/security/istio-security-2022-05