Keptn-Vulnerability-2020-001

Version 1.0

Revision Information

Affected

Keptn installation 0.6.2 and older.

Note: This is not applicable if you have installed Keptn using --use-case=quality-gates or --ingress-install-option=reuse.

Description

Keptn 0.6.2 and older versions are installing an outdated and potentially insecure version of Istio; Keptn 0.6.x installs Istio 1.3, Keptn 0.5.x installs Istio 1.2.

This vulnerability affects a 3rd-party component and is publicly known via the Istio security bulletins. There is reason to believe that it has been maliciously exploited in the past, as Istio is an often-targeted component in cloud application workloads.

Severity

CVSSv3.1 Rating: 9.0 (Very High)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Considering that we are shipping an old version of Istio (1.2 or 1.3 resp.) and there are several vulnerabilities known (see https://istio.io/latest/news/security/ ), we took the highest CVSS score that Istio has reported themselves, which is 9.0 (Very High). The attacks range from heap overflow, denial of service up to authentication policy bypass.

Recommendations

• We recommend upgrading to the latest version of Istio as described here: https://istio.io/latest/docs/setup/upgrade/
• If you are using the pre-installed managed version of Istio on GKE, please refer to the docs on Google Cloud: https://cloud.google.com/istio/docs/istio-on-gke/versions.

Workaround

If you install Keptn, install the latest version of Istio first, then install Keptn using the --ingress-install-option=reuse flag.

How to identify whether vulnerability has been abused

As this affects a 3rd-party component, identification whether a vulnerability has been abused is documented on their website: https://istio.io/latest/news/security/