openshift · vikram-redhat · Aug 26, 2021 · Aug 25, 2021
diff --git a/modules/ossm-rn-fixed-issues-1x.adoc b/modules/ossm-rn-fixed-issues-1x.adoc
@@ -8,10 +8,10 @@ Module included in the following assemblies:
 
 ////
 Provide the following info for each issue if possible:
-Consequence - What user action or situation would make this problem appear  (If you have the foo option enabled and did x)? What did the customer experience as a result of the issue? What was the symptom?
-Cause - Why did this happen?
-Fix - What did we change to fix the problem?
-Result - How has the behavior changed as a result?  Try to avoid “It is fixed” or “The issue is resolved” or “The error no longer presents”.
+*Consequence* - What user action or situation would make this problem appear (If you have the foo option enabled and did x)? What did the customer experience as a result of the issue? What was the symptom?
+*Cause* - Why did this happen?
+*Fix* - What did we change to fix the problem?
+*Result* - How has the behavior changed as a result? Try to avoid “It is fixed” or “The issue is resolved” or “The error no longer presents”.
 ////
 
 The following issues been resolved in the current release:

diff --git a/modules/ossm-rn-fixed-issues.adoc b/modules/ossm-rn-fixed-issues.adoc
@@ -8,10 +8,10 @@ Module included in the following assemblies:
 
 ////
 Provide the following info for each issue if possible:
-Consequence - What user action or situation would make this problem appear (If you have the foo option enabled and did x)? What did the customer experience as a result of the issue? What was the symptom?
-Cause - Why did this happen?
-Fix - What did we change to fix the problem?
-Result - How has the behavior changed as a result? Try to avoid “It is fixed” or “The issue is resolved” or “The error no longer presents”.
+*Consequence* - What user action or situation would make this problem appear (If you have the foo option enabled and did x)? What did the customer experience as a result of the issue? What was the symptom?
+*Cause* - Why did this happen?
+*Fix* - What did we change to fix the problem?
+*Result* - How has the behavior changed as a result? Try to avoid “It is fixed” or “The issue is resolved” or “The error no longer presents”.
 ////
 
 The following issues been resolved in the current release:

diff --git a/modules/ossm-rn-known-issues-1x.adoc b/modules/ossm-rn-known-issues-1x.adoc
@@ -7,10 +7,10 @@ Module included in the following assemblies:
 = Known issues
 
 ////
-Consequence - What user action or situation would make this problem appear (Selecting the Foo option with the Bar version 1.3 plugin enabled results in an error message)?  What did the customer experience as a result of the issue? What was the symptom?
-Cause (if it has been identified) - Why did this happen?
-Workaround (If there is one)- What can you do to avoid or negate the effects of this issue in the meantime?  Sometimes if there is no workaround it is worthwhile telling readers to contact support for advice. Never promise future fixes.
-Result - If the workaround does not completely address the problem.
+*Consequence* - What user action or situation would make this problem appear (Selecting the Foo option with the Bar version 1.3 plugin enabled results in an error message)?  What did the customer experience as a result of the issue? What was the symptom?
+*Cause* (if it has been identified) - Why did this happen?
+*Workaround* (If there is one)- What can you do to avoid or negate the effects of this issue in the meantime?  Sometimes if there is no workaround it is worthwhile telling readers to contact support for advice. Never promise future fixes.
+*Result* - If the workaround does not completely address the problem.
 ////
 
 These limitations exist in {ProductName}:

diff --git a/modules/ossm-rn-known-issues.adoc b/modules/ossm-rn-known-issues.adoc
@@ -7,10 +7,10 @@ Module included in the following assemblies:
 = Known issues
 
 ////
-Consequence - What user action or situation would make this problem appear (Selecting the Foo option with the Bar version 1.3 plugin enabled results in an error message)? What did the customer experience as a result of the issue? What was the symptom?
-Cause (if it has been identified) - Why did this happen?
-Workaround (If there is one)- What can you do to avoid or negate the effects of this issue in the meantime? Sometimes if there is no workaround it is worthwhile telling readers to contact support for advice. Never promise future fixes.
-Result - If the workaround does not completely address the problem.
+*Consequence* - What user action or situation would make this problem appear (Selecting the Foo option with the Bar version 1.3 plugin enabled results in an error message)?  What did the customer experience as a result of the issue? What was the symptom?
+*Cause* (if it has been identified) - Why did this happen?
+*Workaround* (If there is one)- What can you do to avoid or negate the effects of this issue in the meantime?  Sometimes if there is no workaround it is worthwhile telling readers to contact support for advice. Never promise future fixes.
+*Result* - If the workaround does not completely address the problem.
 ////
 
 These limitations exist in {ProductName}:

diff --git a/modules/ossm-rn-new-features-1x.adoc b/modules/ossm-rn-new-features-1x.adoc
@@ -7,9 +7,9 @@ Module included in the following assemblies:
 = New Features
 
 ////
-Feature – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes.
-Reason – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. There may not have been a 'problem' previously, but system behaviour may have changed.
-Result – If changed, describe the current user experience
+*Feature* – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes.
+*Reason* – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. There may not have been a 'problem' previously, but system behavior may have changed.
+*Result* – If changed, describe the current user experience
 ////
 {ProductName} provides a number of key capabilities uniformly across a network of services:
 
@@ -36,6 +36,62 @@ Result – If changed, describe the current user experience
 |1.0.0
 |===
 
+
+== New features {ProductName} 1.1.17.1
+
+This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs).
+
+=== Change in how {ProductName} handles URI fragments
+
+{ProductName} contains a remotely exploitable vulnerability, link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39156[CVE-2021-39156], where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass the Istio URI path-based authorization policies. For instance, an Istio authorization policy denies requests sent to the URI path `/user/profile`. In the vulnerable versions, a request with URI path `/user/profile#section1` bypasses the deny policy and routes to the backend (with the normalized URI `path /user/profile%23section1`), possibly leading to a security incident.
+
+You are impacted by this vulnerability if you use authorization policies with DENY actions and `operation.paths`, or ALLOW actions and `operation.notPaths`.
+
+With the mitigation, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.
+
+=== Required update for authorization policies
+
+Istio generates hostnames for both the hostname itself and all matching ports. For instance, a virtual service or Gateway for a host of "httpbin.foo" generates a config matching "httpbin.foo and httpbin.foo:*". However, exact match authorization policies only match the exact string given for the `hosts` or `notHosts` fields.
+
+Your cluster is impacted if you have `AuthorizationPolicy` resources using exact string comparison for the rule to determine link:https://istio.io/latest/docs/reference/config/security/authorization-policy/#Operation[hosts or notHosts].
+
+You must update your authorization policy link:https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule[rules] to use prefix match instead of exact match.  For example, replacing `hosts: ["httpbin.com"]` with `hosts: ["httpbin.com:*"]` in the first `AuthorizationPolicy` example.
+
+.First example AuthorizationPolicy using prefix match
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  action: DENY
+  rules:
+  - from:
+    - source:
+        namespaces: ["dev"]
+    to:
+    - operation:
+        hosts: [“httpbin.com”,"httpbin.com:*"]
+----
+
+.Second example AuthorizationPolicy using prefix match
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: default
+spec:
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        hosts: ["httpbin.example.com:*"]
+----
+
 == New features {ProductName} 1.1.17
 
 This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.

diff --git a/modules/ossm-rn-new-features.adoc b/modules/ossm-rn-new-features.adoc
@@ -7,9 +7,9 @@ Module included in the following assemblies:
 = New features
 
 ////
-Feature – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes.
-Reason – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. There may not have been a 'problem' previously, but system behavior may have changed.
-Result – If changed, describe the current user experience
+*Feature* – Describe the new functionality available to the customer. For enhancements, try to describe as specifically as possible where the customer will see changes.
+*Reason* – If known, include why has the enhancement been implemented (use case, performance, technology, etc.). For example, showcases integration of X with Y, demonstrates Z API feature, includes latest framework bug fixes. There may not have been a 'problem' previously, but system behavior may have changed.
+*Result* – If changed, describe the current user experience
 ////
 {ProductName} provides a number of key capabilities uniformly across a network of services:
 
@@ -36,6 +36,82 @@ Result – If changed, describe the current user experience
 |2.0.0
 |===
 
+== New features {ProductName} 2.0.7.1
+
+This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs).
+
+=== Change in how {ProductName} handles URI fragments
+
+{ProductName} contains a remotely exploitable vulnerability, link:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39156[CVE-2021-39156], where an HTTP request with a fragment (a section in the end of a URI that begins with a # character) in the URI path could bypass the Istio URI path-based authorization policies. For instance, an Istio authorization policy denies requests sent to the URI path `/user/profile`. In the vulnerable versions, a request with URI path `/user/profile#section1` bypasses the deny policy and routes to the backend (with the normalized URI `path /user/profile%23section1`), possibly leading to a security incident.
+
+You are impacted by this vulnerability if you use authorization policies with DENY actions and `operation.paths`, or ALLOW actions and `operation.notPaths`.
+
+With the mitigation, the fragment part of the request’s URI is removed before the authorization and routing. This prevents a request with a fragment in its URI from bypassing authorization policies which are based on the URI without the fragment part.
+
+To opt-out from the new behavior in the mitigation, the fragment section in the URI will be kept. You can configure your `ServiceMeshControlPlane` to keep URI fragments.
+
+[WARNING]
+====
+Disabling the new behavior will normalize your paths as described above and is considered unsafe. Ensure that you have accommodated for this in any security policies before opting to keep URI fragments.
+====
+
+.Example `ServiceMeshControlPlane` modification
+[source,yaml]
+----
+apiVersion: maistra.io/v2
+kind: ServiceMeshControlPlane
+metadata:
+  name: basic
+spec:
+  techPreview:
+    meshConfig:
+      defaultConfig:
+        proxyMetadata: HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLED: "false"
+----
+
+=== Required update for authorization policies
+
+Istio generates hostnames for both the hostname itself and all matching ports. For instance, a virtual service or Gateway for a host of "httpbin.foo" generates a config matching "httpbin.foo and httpbin.foo:*". However, exact match authorization policies only match the exact string given for the `hosts` or `notHosts` fields.
+
+Your cluster is impacted if you have `AuthorizationPolicy` resources using exact string comparison for the rule to determine link:https://istio.io/latest/docs/reference/config/security/authorization-policy/#Operation[hosts or notHosts].
+
+You must update your authorization policy link:https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule[rules] to use prefix match instead of exact match.  For example, replacing `hosts: ["httpbin.com"]` with `hosts: ["httpbin.com:*"]` in the first `AuthorizationPolicy` example.
+
+.First example AuthorizationPolicy using prefix match
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  action: DENY
+  rules:
+  - from:
+    - source:
+        namespaces: ["dev"]
+    to:
+    - operation:
+        hosts: [“httpbin.com”,"httpbin.com:*"]
+----
+
+.Second example AuthorizationPolicy using prefix match
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: default
+spec:
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        hosts: ["httpbin.example.com:*"]
+----
+
 == New features {ProductName} 2.0.7
 
 This release of {ProductName} addresses Common Vulnerabilities and Exposures (CVEs) and bug fixes.