Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn

Keptn-Vulnerability-2020-001

Version 1.0

Revision Information

Revision Updated Reason
1.0 July 8, 2020 Initial Reason

Affected

Keptn installation 0.6.2 and older.

Note: This is not applicable if you have installed Keptn using --use-case=quality-gates or --ingress-install-option=reuse.

Description

Keptn 0.6.2 and older versions are installing an outdated and potentially insecure version of Istio; Keptn 0.6.x installs Istio 1.3, Keptn 0.5.x installs Istio 1.2.

This vulnerability affects a 3rd-party component and is publicly known via the Istio security bulletins. There is reason to believe that it has been maliciously exploited in the past, as Istio is an often-targeted component in cloud application workloads.

Severity

CVSSv3.1 Rating: 9.0 (Very High)

CVSSv3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Considering that we are shipping an old version of Istio (1.2 or 1.3 resp.) and there are several vulnerabilities known (see https://istio.io/latest/news/security/ ), we took the highest CVSS score that Istio has reported themselves, which is 9.0 (Very High). The attacks range from heap overflow, denial of service up to authentication policy bypass.

Recommendations

Workaround

If you install Keptn, install the latest version of Istio first, then install Keptn using the --ingress-install-option=reuse flag.

How to identify whether vulnerability has been abused

As this affects a 3rd-party component, identification whether a vulnerability has been abused is documented on their website: https://istio.io/latest/news/security/