content/en/news/security/istio-security-2022-004/index.md
{{< security_bulletin >}}
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message, to crash the control plane process. This can be exploited when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from an attacker.
For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially those where the control plane runs in a different cluster, this port is exposed over the public internet.
Istio considers this a 0-day vulnerability due to the publication of CVE-2022-24921 by the Go team.
The following Envoy CVEs for Envoy were also patched for Istio 1.11.8, 1.12.5 and Istio 1.13.2. They were publicly fixed in https://github.com/envoyproxy/envoy for versions of Envoy used in prior Istio versions. As detailed in ISTIO-SECURITY-2022-003, Istio was not vulnerable to attack.
The following was also fixed in Istio 1.12.5 and Istio 1.13.2.
subjectAltName matching (and nameConstraints) bypass.You are at most risk if you are running Istio in an external istiod environment, or if you have exposed your istiod externally.
We would like to thank John Howard (Google) for the report and the fix.