com/istio/istio.io – 26dacdde40968a37ba9eaa864d40e45051ec5448 Key Findings • There was a lack of validation on the VirtualService Gateway fields that could allow route hijacking • In testing, it did not Category Breakdown Access Controls 7 Configuration 5 Cryptography 1 Data Exposure 3 Data Validation 2 Component Breakdown Istio 10 Istio Sidecar 3 Istioctl 2 Pilot 3 Key Critical High Medium 004 High Lack of Security Related Documentation 016 High Lack of VirtualService Gateway Field Validation Enables Request Hijacking 017 High Ingress Gateway Configuration Generation Enables Route Hijacking

configuration parts to CNI. But another init- container, the istio-validation is introduced. o We can remove the istio-validation container by modifying the injection template. Mitigations: o When

k8s Istio mTLS mTLS mTLS + k8s + k8s Istio Istio Validation Webhooks ● Allow configuration only related to owned namespace ○ Only allow configuration for

CAP_NET_ADMIN and CAP_NET_RAW permission No need for istio-init container means faster startup speed （need validation instead) Issue in Istio CNI Kubelet Start a pausing pod Kubelet invoke CNI plugins CNI plugins

services Catalog Customer history … Order details Payments Audit Search Suggest … Order validation Fraud Alerts … | CONFIDENTIAL Service testing Test a single service in isolation. All producer

identity ● using a short-lived K8s service account token ● Automatic certificate rotation ● Validation of the proxy’s status for VM-based workloads #IstioCon V1.8 VM Auto Registration ● Experimental

● pkg/wasm ● Istio Agent ● Istio Pilot ● Istioctl Vectors: ● CWE-295: Improper Certificate Validation ID: ADA-IST-6 Fix: https://github.com/istio/istio/pull/41930 Description In some experimental