CVE-2020-8843: 
Istio Control Plane (istiod) vulnerability analysis and mitigation

CVE-2020-8843 is a vulnerability discovered in Istio-proxy that affects versions 1.3 to 1.3.6. The vulnerability was disclosed on February 11, 2020, and involves the acceptance of x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress (Istio Security).

The vulnerability occurs when Istio-proxy improperly accepts the x-istio-attributes header at ingress, which can potentially be used to influence policy decisions specifically when Mixer policy is configured to selectively apply to sources equal to ingress. This feature was disabled by default in Istio 1.3 and 1.4. The vulnerability has been assigned a CVSS v3.1 score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) indicating a high severity (Istio Security).

When exploited, this vulnerability allows attackers to bypass specifically configured Mixer policies. This could potentially lead to unauthorized access or policy decision manipulation in affected Istio deployments where Mixer Policy is enabled and used in the specified way (Istio Security).

For Istio 1.3.x deployments, users are advised to update to Istio 1.3.7 or later versions to mitigate this vulnerability. The issue was silently fixed in Istio 1.4.0 and Istio 1.3.7, though it was initially addressed as a non-security issue and later reclassified as a vulnerability in December 2019 (Istio Security).

The vulnerability was initially discovered and privately reported by Krishnan Anantheswaran and Eric Zhang of Splunk, demonstrating responsible disclosure practices in the security community (Istio Security).