Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23635: ISTIO-SECURITY-2022-003

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially multicluster topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.

CVE
Open in Source
#vulnerability#google#dos

Multiple CVEs related to istiod Denial of Service and Envoy.

Disclosure Details

CVE(s)

CVE-2022-21701
CVE-2021-43824
CVE-2021-43825
CVE-2021-43826
CVE-2022-21654
CVE-2022-21655
CVE-2022-23606

CVSS Impact Score

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Releases

All releases prior to 1.11.0
1.11.0 to 1.11.6
1.12.0 to 1.12.3
1.13.0

CVE****CVE-2022-23635

  • CVE-2022-23635: CVE-2022-23635 (CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.

The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker.

Envoy CVEs

At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however, to be transparent.

  • CVE-2021-43824: CVE-2021-43824 (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer dereference when using JWT filter safe_regex match.

  • CVE-2021-43825: CVE-2021-43825 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.

  • CVE-2021-43826: CVE-2021-43826 (CVSS Score 6.1, Medium): Envoy 1.21.0 and earlier - Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.

  • CVE-2022-21654: CVE-2022-21654 (CVSS Score 7.3, High): Envoy 1.7.0 and later - Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.

  • CVE-2022-21655: CVE-2022-21655 (CVSS Score 7.5, High): Envoy 1.21 and earlier - Incorrect handling of internal redirects to routes with a direct response entry.

The following CVE did not apply to Istio 1.11.6.

  • CVE-2022-23606: CVE-2022-23606 (CVSS Score 4.4, Moderate): Envoy 1.20 and later - Stack exhaustion when a cluster is deleted via Cluster Discovery Service.

Am I Impacted?

If you are running Istio in a multi-cluster environment or if you have exposed your istiod externally.

Credit

We would like to thank John Howard (Google) for the report and the fix.

ISTIO-SECURITY-2022-001

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE