CVE-2022-39278

CVE Details

Release Date:	2022-10-13
Impact:	None	What is this?

Description

Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in regexp.Compile in Go.

See more information about CVE-2022-39278 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	7.5
Vector String:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version:	3.0
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (istio)	ELSA-2023-12012	2012-01-11
Oracle Linux version 7 (istio)	ELSA-2023-12013	2023-01-11
Oracle Linux version 7 (olcne)	ELSA-2023-12012	2012-01-11
Oracle Linux version 7 (olcne)	ELSA-2023-12013	2023-01-11
Oracle Linux version 8 (istio)	ELSA-2023-12011	2023-01-10
Oracle Linux version 8 (istio)	ELSA-2023-12014	2023-01-11
Oracle Linux version 8 (olcne)	ELSA-2023-12011	2023-01-10
Oracle Linux version 8 (olcne)	ELSA-2023-12014	2023-01-11