ISTIO-SECURITY-2022-002

Privileged Escalation in Kubernetes Gateway API.

Jan 18, 2022

Disclosure Details
CVE(s)CVE-2022-21701
CVSS Impact Score4.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Affected Releases1.12.0 to 1.12.1

CVE

CVE-2022-21701

Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod.

Am I Impacted?

This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable.

Your cluster may be impacted if:

Workarounds

If you are unable to upgrade, any of the following will prevent this vulnerability:

Credit

We would like to thank Anthony Weems.