CVE-2022-39278 - OpenCVE

Vendors	Products
Istio	Istio
Redhat	Service Mesh

Package	CPE	Advisory	Released Date
Red Hat OpenShift Service Mesh 2.3 for RHEL 8
openshift-service-mesh/istio-cni-rhel8:2.3.1-9	cpe:/a:redhat:service_mesh:2.3::el8	RHSA-2023:0542	2023-01-30T00:00:00Z

Link	Providers
https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w
https://istio.io/latest/news/releases/1.13.x/announcing-1.13.9/
https://istio.io/latest/news/releases/1.15.x/announcing-1.15.2/
https://istio.io/latest/news/security/istio-security-2022-007/
https://istio.io/news/releases/1.14.x/announcing-1.14.5/
https://nvd.nist.gov/vuln/detail/CVE-2022-39278
https://www.cve.org/CVERecord?id=CVE-2022-39278

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39278", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.519Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-13T00:00:00"}, "containers": {"cna": {"title": "Istio vulnerable to denial of service attack due to Golang Regex Library", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-13T00:00:00"}, "descriptions": [{"lang": "en", "value": "Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go."}], "affected": [{"vendor": "istio", "product": "istio", "versions": [{"version": "< 1.13.9", "status": "affected"}, {"version": ">= 1.14.0, < 1.14.5", "status": "affected"}, {"version": ">= 1.15.0, < 1.15.2", "status": "affected"}]}], "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w"}, {"url": "https://istio.io/latest/news/releases/1.13.x/announcing-1.13.9/"}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.2/"}, {"url": "https://istio.io/news/releases/1.14.x/announcing-1.14.5/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-86vr-4wcv-mm9w", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.519Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w", "tags": ["x_transferred"]}, {"url": "https://istio.io/latest/news/releases/1.13.x/announcing-1.13.9/", "tags": ["x_transferred"]}, {"url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.2/", "tags": ["x_transferred"]}, {"url": "https://istio.io/news/releases/1.14.x/announcing-1.14.5/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "29E9412C-C649-4DE8-98E6-4E1F48048156", "versionEndExcluding": "1.13.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "A330CF8F-60D8-4C9A-94E2-4F9EA328D801", "versionEndExcluding": "1.14.5", "versionStartIncluding": "1.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0FE7223-1751-420F-AC19-7A6A98BC630C", "versionEndExcluding": "1.15.2", "versionStartIncluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go."}, {"lang": "es", "value": "Istio es una malla de servicios abierta e independiente de la plataforma que proporciona administraci\u00f3n de tr\u00e1fico, aplicaci\u00f3n de pol\u00edticas y recopilaci\u00f3n de telemetr\u00eda. En versiones anteriores a 1.15.2, 1.14.5, y 1.13.9, el plano de control de Istio, istiod, es vulnerable a un error de procesamiento de peticiones, permitiendo a un atacante malicioso que env\u00ede un mensaje especialmente dise\u00f1ado o de gran tama\u00f1o que resulte en el bloqueo del plano de control cuando el servicio de webhooks de comprobaci\u00f3n o mutaci\u00f3n de Kubernetes est\u00e1 expuesto p\u00fablicamente. Este endpoint es servido a trav\u00e9s del puerto 15017 de TLS, pero no requiere ninguna autenticaci\u00f3n por parte del atacante. Para instalaciones sencillas, Istiod normalmente s\u00f3lo es alcanzable desde dentro del cl\u00faster, limitando el radio de explosi\u00f3n. Sin embargo, para algunos despliegues, especialmente las topolog\u00edas de istiod externas, este puerto est\u00e1 expuesto a trav\u00e9s de la Internet p\u00fablica. Las versiones 1.15.2, 1.14.5 y 1.13.9 contienen parches para este problema. no se presentan mitigaciones efectivas, m\u00e1s all\u00e1 de la actualizaci\u00f3n. Este bug es debido a un error en el archivo \"regexp.Compile\" en Go"}], "id": "CVE-2022-39278", "lastModified": "2022-10-19T14:24:42.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-13T23:15:11.033", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://istio.io/latest/news/releases/1.13.x/announcing-1.13.9/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://istio.io/latest/news/releases/1.15.x/announcing-1.15.2/"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://istio.io/news/releases/1.14.x/announcing-1.14.5/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0542", "cpe": "cpe:/a:redhat:service_mesh:2.3::el8", "package": "openshift-service-mesh/istio-cni-rhel8:2.3.1-9", "product_name": "Red Hat OpenShift Service Mesh 2.3 for RHEL 8", "release_date": "2023-01-30T00:00:00Z"}], "bugzilla": {"description": "Istio: Denial of service attack via a specially crafted message", "id": "2148199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148199"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Istio is an open platform-independent service mesh that provides traffic management, policy enforcement, and telemetry collection. Prior to versions 1.15.2, 1.14.5, and 1.13.9, the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted or oversized message which results in the control plane crashing when the Kubernetes validating or mutating webhook service is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially external istiod topologies, this port is exposed over the public internet. Versions 1.15.2, 1.14.5, and 1.13.9 contain patches for this issue. There are no effective workarounds, beyond upgrading. This bug is due to an error in `regexp.Compile` in Go.", "An uncontrolled resource consumption flaw was found in the Istio control plane, istiod. This issue could allow an unauthenticated remote attacker to send a specially crafted or oversized message that could cause a denial of service."], "name": "CVE-2022-39278", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "servicemesh", "product_name": "OpenShift Service Mesh 2.1"}], "public_date": "2022-10-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-39278\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-39278\nhttps://github.com/istio/istio/security/advisories/GHSA-86vr-4wcv-mm9w\nhttps://istio.io/latest/news/security/istio-security-2022-007/"], "threat_severity": "Moderate", "upstream_fix": "Istio 1.15.2, Istio 1.14.5, Istio 1.13.9"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object