ISTIO-SECURITY-2022-004

Unauthenticated control plane denial of service attack due to stack exhaustion.

Mar 9, 2022

Disclosure Details
CVE(s)CVE-2022-24726
CVE-2022-24921
CVSS Impact Score7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected ReleasesAll releases prior to 1.11.0
1.11.0 to 1.11.7
1.12.0 to 1.12.4
1.13.0 to 1.13.1

CVE

CVE-2022-24726

The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message, to crash the control plane process. This can be exploited when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from an attacker.

For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially those where the control plane runs in a different cluster, this port is exposed over the public internet.

Istio considers this a 0-day vulnerability due to the publication of CVE-2022-24921 by the Go team.

Envoy CVEs

The following Envoy CVEs for Envoy were also patched for Istio 1.11.8, 1.12.5 and Istio 1.13.2. They were publicly fixed in https://github.com/envoyproxy/envoy for versions of Envoy used in prior Istio versions. As detailed in ISTIO-SECURITY-2022-003, Istio was not vulnerable to attack.

The following was also fixed in Istio 1.12.5 and Istio 1.13.2.

Am I Impacted?

You are at most risk if you are running Istio in an external istiod environment, or if you have exposed your istiod externally.

Credit

We would like to thank John Howard (Google) for the report and the fix.