{"containers": {"cna": {"affected": [{"product": "istio", "vendor": "istio", "versions": [{"status": "affected", "version": "< 1.11.8,"}, {"status": "affected", "version": ">= 1.12.0, < 1.12.5"}, {"status": "affected", "version": ">= 1.13.0, < 1.13.2"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-10T20:45:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/golang/go/issues/51112"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}], "source": {"advisory": "GHSA-8w5h-qr4r-2h6g", "discovery": "UNKNOWN"}, "title": "Unauthenticated control plane denial of service attack in Istio", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24726", "STATE": "PUBLIC", "TITLE": "Unauthenticated control plane denial of service attack in Istio"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "istio", "version": {"version_data": [{"version_value": "< 1.11.8,"}, {"version_value": ">= 1.12.0, < 1.12.5"}, {"version_value": ">= 1.13.0, < 1.13.2"}]}}]}, "vendor_name": "istio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g", "refsource": "CONFIRM", "url": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"}, {"name": "https://github.com/golang/go/issues/51112", "refsource": "MISC", "url": "https://github.com/golang/go/issues/51112"}, {"name": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd", "refsource": "MISC", "url": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}]}, "source": {"advisory": "GHSA-8w5h-qr4r-2h6g", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.823Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/golang/go/issues/51112"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24726", "datePublished": "2022-03-10T20:45:12", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.823Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "E255ACB0-90AB-4FC4-AC4B-D7DE613A115E", "versionEndExcluding": "1.11.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "93FFCE9E-9ECF-4B07-B18B-1B73C313CE2C", "versionEndExcluding": "1.12.5", "versionStartIncluding": "1.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C6F7ADF-2FD8-4986-A6F2-0000CC5770D4", "versionEndExcluding": "1.13.2", "versionStartIncluding": "1.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities."}, {"lang": "es", "value": "Istio es una plataforma abierta para conectar, administrar y asegurar microservicios. En las versiones afectadas, el plano de control de Istio, istiod, es vulnerable a un error de procesamiento de peticiones, permitiendo a un atacante malicioso que env\u00ede un mensaje especialmente dise\u00f1ado que resulte en el bloqueo del plano de control cuando el webhook de comprobaci\u00f3n de un cl\u00faster se exponga p\u00fablicamente. Este endpoint es servido a trav\u00e9s del puerto 15017 de TLS, pero no requiere ninguna autenticaci\u00f3n por parte del atacante. Para instalaciones sencillas, Istiod normalmente s\u00f3lo es accesible desde dentro del cl\u00faster, limitando el radio de explosi\u00f3n. Sin embargo, para algunos despliegues, especialmente las topolog\u00edas de [istiod externo](https://istio.io/latest/docs/setup/install/external-controlplane/), este puerto est\u00e1 expuesto a trav\u00e9s de la Internet p\u00fablica. Este problema ha sido parcheado en las versiones 1.13.2, 1.12.5 y 1.11.8. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse deben deshabilitar el acceso a un webhook de comprobaci\u00f3n que est\u00e9 expuesto a la Internet p\u00fablica o restringir el conjunto de direcciones IP que pueden consultarlo a un conjunto de entidades conocidas y confiables"}], "id": "CVE-2022-24726", "lastModified": "2024-11-21T06:50:57.670", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-10T21:15:14.603", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/51112"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/51112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/istio/istio/commit/6ca5055a4db6695ef5504eabdfde3799f2ea91fd"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Upstream acknowledges Oliver Liu, John Howard and Jacob Delgado (Istio Product Security Working Group) as the original reporter.", "affected_release": [{"advisory": "RHSA-2022:1276", "cpe": "cpe:/a:redhat:service_mesh:2.0::el8", "package": "servicemesh-0:2.0.9-3.el8", "product_name": "OpenShift Service Mesh 2.0", "release_date": "2022-04-07T00:00:00Z"}, {"advisory": "RHSA-2022:1275", "cpe": "cpe:/a:redhat:service_mesh:2.1::el8", "package": "servicemesh-0:2.1.2-4.el8", "product_name": "OpenShift Service Mesh 2.1", "release_date": "2022-04-07T00:00:00Z"}], "bugzilla": {"description": "istio: Unauthenticated control plane denial of service attack due to stack exhaustion", "id": "2061638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2061638"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.", "A stack exhaustion flaw was found in the Istio control plane. This flaw allows a remote unauthenticated attacker to send a specially crafted or oversized message to crash the control plane process, resulting in a denial of service condition."], "name": "CVE-2022-24726", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Affected", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.1"}], "public_date": "2022-03-09T20:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-24726\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-24726\nhttps://istio.io/latest/news/security/istio-security-2022-004/"], "threat_severity": "Important", "upstream_fix": "istio 1.11.8, istio 1.12.5, istio 1.13.2"}