Incorrect validation of wildcard DNS Subject Alternative Names.
|CVSS Impact Score||6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C|
|Affected Releases||1.5 to 1.5.7|
1.6 to 1.6.4
All releases prior to 1.5
Istio is vulnerable to a newly discovered vulnerability:
CVE-2020-15104: When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of
*.example.com, Envoy incorrectly allows
nested.subdomain.example.com, when it should only allow
- CVSS Score: 6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
Istio users are exposed to this vulnerability in the following ways:
Direct use of Envoy’s
match_subject_alt_namesconfiguration via Envoy Filter.
Use of Istio’s
subjectAltNamesfield in destination rules with client TLS settings. A destination rule with a
nested.subdomain.example.comincorrectly accepts a certificate from an upstream peer with a Subject Alternative Name (SAN) of
*.example.com. Instead a SAN of
nested.subdomain.example.comshould be present.
Use of Istio’s
subjectAltNamesin service entries. A service entry with a
subjectAltNamesfield with a value similar to
nested.subdomain.example.comincorrectly accepts a certificate from an upstream peer with a SAN of
The Istio CA, which was formerly known as Citadel, does not issue certificates with DNS wildcard SANs. The vulnerability only impacts configurations that validate externally issued certificates.
- For Istio 1.5.x deployments: update to Istio 1.5.8 or later.
- For Istio 1.6.x deployments: update to Istio 1.6.5 or later.
We’d like to remind our community to follow the vulnerability reporting process to report any bug that can result in a security vulnerability.