CVE-2022-31045 — Out-of-bounds Read in Istio

CWE-125 — Out-of-bounds Read4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 43.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Istio Istio.io Istio

Timeline

PublishedJun 9

Latest updateJun 10

Description

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5istio/istio< 1.12.18+2

▶NVDistio/istio1.13.0 — 1.13.5+2

▶Goistio.io/istio1.13.0 — 1.13.5+2

🔴Vulnerability Details

OSV

Ill-formed headers may lead to unexpected behavior in Istio↗2022-06-10

▶

GHSA

Ill-formed headers may lead to unexpected behavior in Istio↗2022-06-10

▶

📋Vendor Advisories

Red Hat

Istio: Unsafe memory access in metadata exchange.↗2022-06-09

▶