Bug 2148199 (CVE-2022-39278)

Summary: CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jwendell, ovanders, rcernich, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Istio 1.15.2, Istio 1.14.5, Istio 1.13.9 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw was found in the Istio control plane, istiod. This issue could allow an unauthenticated remote attacker to send a specially crafted or oversized message that could cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-01 06:25:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2148658    
Bug Blocks: 2148372    

Description Marian Rehak 2022-11-24 15:16:54 UTC 
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet.

Reference:

https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w
Comment 1 Nick Tait 2022-11-26 21:01:21 UTC 
The github advisory link is correct, but within there it links to an older irrelevant istio security announcement. I've added the correct one as an external reference.
Comment 2 Nick Tait 2022-11-26 21:12:54 UTC 
Created golang-istio-pkg tracking bugs for this issue:

Affects: fedora-all [bug 2148658]
Comment 4 errata-xmlrpc 2023-01-30 17:21:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 5 Product Security DevOps Team 2023-02-01 06:25:57 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39278