CVE-2022-21679 : Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization pol

Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or rejected unexpectedly for DENY action during the upgrade from 1.11 to 1.12.0/1.12.1. Istio 1.12 supports the hosts and notHosts fields in authorization policy with a new Envoy API shipped with the 1.12 data plane. A bug in the 1.12.0 and 1.12.1 incorrectly uses the new Envoy API with the 1.11 data plane. This will cause the hosts and notHosts fields to be always matched regardless of the actual value of the host header when mixing 1.12.0/1.12.1 control plane and 1.11 data plane. Users are advised to upgrade or to not mix the 1.12.0/1.12.1 control plane with 1.11 data plane if using hosts or notHosts field in authorization policy.

Published 2022-01-19 22:15:09

Updated 2022-01-27 13:58:54

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-21679

Probability of exploitation activity in the next 30 days: 0.22%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-21679

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N	1.6	5.2	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-21679

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-21679

https://github.com/istio/istio/security/advisories/GHSA-rwfr-xrvw-2rvv

Authorization Policy For Host Rules During Upgrades · Advisory · istio/istio · GitHub
Third Party Advisory
https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/

Istio / Announcing Istio 1.12.2
Release Notes;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2022-21679

Istio » Istio » Version: 1.12.0
cpe:2.3:a:istio:istio:1.12.0:-:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Alpha0
cpe:2.3:a:istio:istio:1.12.0:alpha0:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Alpha1
cpe:2.3:a:istio:istio:1.12.0:alpha1:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Alpha5
cpe:2.3:a:istio:istio:1.12.0:alpha5:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Beta0
cpe:2.3:a:istio:istio:1.12.0:beta0:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Beta1
cpe:2.3:a:istio:istio:1.12.0:beta1:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update Beta2
cpe:2.3:a:istio:istio:1.12.0:beta2:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.0 Update RC1
cpe:2.3:a:istio:istio:1.12.0:rc1:*:*:*:*:*:*
Matching versions
Istio » Istio » Version: 1.12.1
cpe:2.3:a:istio:istio:1.12.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-21679

Exploit prediction scoring system (EPSS) score for CVE-2022-21679

CVSS scores for CVE-2022-21679

CWE ids for CVE-2022-21679

References for CVE-2022-21679

Products affected by CVE-2022-21679