Authorization Policy For Host Rules During Upgrades.
|CVSS Impact Score||6.8 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N|
|Affected Releases||1.12.0 to 1.12.1|
Istio 1.12.0/1.12.1 will generate incorrect configuration for proxies of version 1.11 affecting the
notHosts field in the authorization policy. The incorrect configuration could cause requests to accidentally bypass or get rejected by the authorization policy when using the
The issue happens when mixing the 1.12.0/1.12.1 control plane with the 1.11 data plane and using the
notHosts field in the authorization policy.
- Upgrade to latest 1.12.2 or;
- Do not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using
notHostsfield in authorization policy
We would like to thank Yangmin Zhu and @Aakash2017.