Disclosure Details
CVE(s)
CVE-2022-23635
CVE-2021-43824
CVE-2021-43825
CVE-2021-43826
CVE-2022-21654
CVE-2022-21655
CVE-2022-23606
CVSS Impact Score
7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Releases
All releases prior to 1.11.0
1.11.0 to 1.11.6
1.12.0 to 1.12.3
1.13.0
CVE
CVE-2022-23635
CVE-2022-23635:
(CVSS Score 7.5, High): Unauthenticated control plane denial of service attack.
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that
sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012,
but does not require any authentication from the attacker.
For simple installations, istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially multicluster topologies, this port is exposed over the public internet.
Envoy CVEs
At this time it is not believed that Istio is vulnerable to these CVEs in Envoy. They are listed, however,
to be transparent.
CVE ID
Score, Rating
Description
Fixed in 1.13.1
Fixed in 1.12.4
Fixed in 1.11.7
CVE-2021-43824
6.5, Medium
Potential null pointer dereference when using JWT filter safe_regex match.
Yes
Yes
Yes
CVE-2021-43825
6.1, Medium
Use-after-free when response filters increase response data, and increased data exceeds downstream buffer limits.
Yes
Yes
Yes
CVE-2021-43826
6.1, Medium
Use-after-free when tunneling TCP over HTTP, if downstream disconnects during upstream connection establishment.
Yes
Yes
Yes
CVE-2022-21654
7.3, High
Incorrect configuration handling allows mTLS session re-use without re-validation after validation settings have changed.
Yes
Yes
Yes
CVE-2022-21655
7.5, High
Incorrect handling of internal redirects to routes with a direct response entry.
Yes
Yes
Yes
CVE-2022-23606
4.4, Moderate
Stack exhaustion when a cluster is deleted via Cluster Discovery Service.
Yes
Yes
N/A
CVE-2022-21656
3.1, Low
X.509 subjectAltName matching (and nameConstraints) bypass.
No, next release.
No, next release.
Envoy did not backport this fix.
CVE-2022-21657
3.1, Low
X.509 Extended Key Usage and Trust Purposes bypass
No, next release.
No, next release.
No, next release.
Am I Impacted?
You are at most risk if you are running Istio in a multi-cluster environment, or if you have exposed your istiod externally.
Credit
We would like to thank Adam Korczynski (ADA Logics) and John Howard (Google) for the report and the fix.
...more