CVE-2021-39156

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.

Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.

### Impact Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. ### Patches * Istio 1.11.1 and above * Istio 1.10.4 and above * Istio 1.9.8 and above ### Workarounds A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2021-008) ### For more information If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

### Impact Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. ### Patches * Istio 1.11.1 and above * Istio 1.10.4 and above * Istio 1.9.8 and above ### Workarounds A Lua filter may be written to normalize the path. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2021-008) ### For more information If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com

Istio es una plataforma de código abierto que proporciona una forma uniforme de integrar microservicios, administrar el flujo de tráfico entre microservicios, aplicar políticas y agregar datos de telemetría. Istio versiones 1.11.0, 1.10.3 y por debajo, y versiones 1.9.7 y por debajo, contienen una vulnerabilidad explotable de forma remota en la que una petición HTTP con el parámetro "#fragment" en la ruta puede omitir las políticas de autorización basadas en la ruta URI de Istio. Los parches están disponibles en Istio versión 1.11.1, Istio versión 1.10.4 e Istio versión 1.9.8. Como solución, puede escribirse un filtro Lua para normalizar la ruta.