ISTIO-SECURITY-2022-003

Multiple CVEs related to istiod Denial of Service and Envoy.

Feb 22, 2022

Disclosure Details
CVE(s)CVE-2022-23635
CVE-2021-43824
CVE-2021-43825
CVE-2021-43826
CVE-2022-21654
CVE-2022-21655
CVE-2022-23606
CVSS Impact Score7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected ReleasesAll releases prior to 1.11.0
1.11.0 to 1.11.6
1.12.0 to 1.12.3
1.13.0

CVE

CVE-2022-23635

The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker.

For simple installations, istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially multicluster topologies, this port is exposed over the public internet.

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

CVE IDScore, RatingDescriptionFixed in 1.13.1Fixed in 1.12.4Fixed in 1.11.7
CVE-2021-438246.5, MediumPotential null pointer dereference when using JWT filter safe_regex match.YesYesYes
CVE-2021-438256.1, MediumUse-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.YesYesYes
CVE-2021-438266.1, MediumUse-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.YesYesYes
CVE-2022-216547.3, HighIncorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.YesYesYes
CVE-2022-216557.5, HighIncorrect handling of internal redirects to routes with a direct response entry.YesYesYes
CVE-2022-236064.4, ModerateStack exhaustion when a cluster is deleted via Cluster Discovery Service.YesYesN/A
CVE-2022-216563.1, LowX.509 subjectAltName matching (and nameConstraints) bypass.No, next release.No, next release.Envoy did not backport this fix.
CVE-2022-216573.1, LowX.509 Extended Key Usage and Trust Purposes bypassNo, next release.No, next release.No, next release.

Am I Impacted?

You are at most risk if you are running Istio in a multi-cluster environment, or if you have exposed your istiod externally.

Credit

We would like to thank Adam Korczynski (ADA Logics) and John Howard (Google) for the report and the fix.