CVE-2021-39155: 
Istio Control Plane (istiod) vulnerability analysis and mitigation

Istio, an open source platform for microservices integration and traffic management, contained a vulnerability (CVE-2021-39155) where authorization policies failed to handle hostname comparisons correctly. According to RFC 4343, the HTTP Host header comparison should be case insensitive, but the implementation was performing case-sensitive comparisons. This vulnerability was discovered in August 2021 and affected all Istio versions up to 1.9.8, 1.10.4, and 1.11.1 (GitHub Advisory, NVD).

The vulnerability stems from a mismatch between how the Envoy proxy handles hostnames and how authorization policies perform comparisons. While the proxy processes hostnames in a case-insensitive manner, the authorization policies were implementing case-sensitive comparisons. This inconsistency violates RFC 4343 specifications for DNS case insensitivity. The vulnerability has been assigned a CVSS v3.1 base score of 8.3 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (NVD).

The vulnerability allows attackers to bypass authorization policies by manipulating the case of hostnames in HTTP requests. For example, if an authorization policy is configured to reject requests for 'httpbin.foo' from specific source IPs, an attacker could bypass this restriction by sending requests to 'Httpbin.Foo' (GitHub Advisory).

The vulnerability has been patched in Istio versions 1.9.8, 1.10.4, and 1.11.1. As a temporary workaround, administrators can implement a Lua filter to normalize the Host header before authorization checks, similar to the Path normalization described in Istio's Security Best Practices guide (GitHub Advisory).

Red Hat responded to this vulnerability by releasing security advisories RHSA-2021:3272 and RHSA-2021:3273, providing updated packages for Red Hat OpenShift Service Mesh versions 1.1.17.1 and 2.0.7.1 to address this and other security issues (Red Hat).