Bug 2148199 (CVE-2022-39278) - CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
Summary: CVE-2022-39278 Istio: Denial of service attack via a specially crafted message
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-39278
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2148658
Blocks: 2148372
TreeView+ depends on / blocked
 
Reported: 2022-11-24 15:16 UTC by Marian Rehak
Modified: 2023-09-01 04:22 UTC (History)
4 users (show)

Fixed In Version: Istio 1.15.2, Istio 1.14.5, Istio 1.13.9
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw was found in the Istio control plane, istiod. This issue could allow an unauthenticated remote attacker to send a specially crafted or oversized message that could cause a denial of service.
Clone Of:
Environment:
Last Closed: 2023-02-01 06:25:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:21:07 UTC

Description Marian Rehak 2022-11-24 15:16:54 UTC
The Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet.

Reference:

https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w

Comment 1 Nick Tait 2022-11-26 21:01:21 UTC
The github advisory link is correct, but within there it links to an older irrelevant istio security announcement. I've added the correct one as an external reference.

Comment 2 Nick Tait 2022-11-26 21:12:54 UTC
Created golang-istio-pkg tracking bugs for this issue:

Affects: fedora-all [bug 2148658]

Comment 4 errata-xmlrpc 2023-01-30 17:21:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542

Comment 5 Product Security DevOps Team 2023-02-01 06:25:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39278


Note You need to log in before you can comment on or make changes to this bug.