Open Source Technology Improvement Fund is happy to announce the results of the Istio Security Audit. Used by key cloud providers and technology organizations, Istio is an open service mesh platform to connect, manage, and secure microservices. The Security Audit was carried out by the team at ADA Logics. A total of fifteen fixes were implemented as a result of this engagement, including fixes for two upstream issues in golang itself.
The security review included building six new fuzzers for sensitive functions in Istio, manual review of the Istio codebase, and recommendations for improving the supply chain security of Istio using the SLSA model.
The notable findings in this review include multiple vectors for resource exhaustion, arbitrary file writes, TOCTOU issues, and recommendations to move away from a deprecated protobuf library.
This project resulted in 13 direct code changes, 6 improved tests, and efforts to complete a move from /gogo/protobuf (which is no longer maintained) to /golang/protobuf. Additionally, Istio added Depguard to the project in order to detect any future use of deprecated or unsafe dependencies.
Additionally as a result of this audit, a problem was discovered in golang h2c that was both a resource exhaustion and request smuggling vector that could affect many projects downstream, resulting in https://www.cve.org/CVERecord?id=CVE-2022-41721. This is fixed in the latest version of golang.
The full report can be found here: https://ostif.org/wp-content/uploads/2023/01/Istio-audit-report-v1.0.pdf
More information on the Ada Logics blog post here: https://adalogics.com/blog/istio-security-audit
The Istio team has made a blog post here: https://istio.io/latest/blog/2023/ada-logics-security-assessment/
The Cloud Native Computing Foundation announcement is here: https://www.cncf.io/blog/2023/01/30/istio-publishes-results-of-2022-security-audit/
We thank Francis Zhou, Justin Pettit, and Anand Jayaraman for collaborating on this effort along with David Korczynski and Adam Korczynski of ADA Logics.
Special thanks to Cloud Native Computing Foundation (CNCF) for funding this work and entrusting OSTIF to facilitate and manage the audit. Istio joins a growing list of CNCF projects that have entrusted OSTIF to proactively review projects and improve security posture of open source software.