CVE-2020-1764

A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.

Mitigation

The Kiali configuration can be manually updated for ServiceMesh so that the default signing_key cannot be easily determined:

oc get kiali -n $(oc get kiali --all-namespaces --no-headers -o custom-columns=NS:.metadata.namespace) -o yaml | sed "s/spec:/spec:\n login_token:\n signing_key: $(chars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890; for i in {1…20}; do echo -n "${chars:RANDOM%${#chars}:1}"; done; echo)/" | oc apply -f -