CVE-2022-23635 — Improper Authentication in Istio

CWE-287 — Improper Authentication CWE-1284 — Improper Validation of Specified Quantity in Input5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Istio.io Istio Istio

Timeline

PublishedFeb 22

Latest updateJul 31

Description

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radi…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDistio/istio1.12.0 — 1.12.4+2

▶Goistio.io/istio1.13.0 — 1.13.1+2

▶CVEListV5istio/istio>= 1.12.0, < 1.12.4, >= 1.13.0, < 1.13.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Unauthenticated control plane denial of service attack in Istio↗2022-02-23

▶

GHSA

Unauthenticated control plane denial of service attack in Istio↗2022-02-23

▶

📋Vendor Advisories

Red Hat

istio: unauthenticated control plane denial of service attack↗2022-02-22

▶

📄Research Papers

arXiv

Microservice Vulnerability Analysis: A Literature Review with Empirical Insights↗2024-07-31

▶