CVE-2022-23635 : Istio is an open platform to connect, manage, and secure microservices. In affec

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.

Published 2022-02-22 22:15:08

Updated 2023-07-13 16:32:56

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationBypassGain privilege

Products affected by CVE-2022-23635

Istio » Istio
Versions before (<) 1.11.7
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
Matching versions
Istio » Istio
Versions from including (>=) 1.13.0 and before (<) 1.13.1
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
Matching versions
Istio » Istio
Versions from including (>=) 1.12.0 and before (<) 1.12.4
cpe:2.3:a:istio:istio:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-23635

EPSS FAQ

0.65%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 70 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-23635

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-23635

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: security-advisories@github.com (Secondary)
CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-23635

https://github.com/istio/istio/commit/5f3b5ed958ae75156f8656fe7b3794f78e94db84

[release-1.13] Harden validation of untrusted inputs (#90) (#96) · istio/istio@5f3b5ed · GitHub
Patch;Third Party Advisory
https://istio.io/latest/news/security/istio-security-2022-003

Istio / ISTIO-SECURITY-2022-003
Third Party Advisory
https://github.com/istio/istio/security/advisories/GHSA-856q-xv3c-7f2f

Unauthenticated control plane denial of service attack · Advisory · istio/istio · GitHub
Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-23635

Products affected by CVE-2022-23635

Exploit prediction scoring system (EPSS) score for CVE-2022-23635

CVSS scores for CVE-2022-23635

CWE ids for CVE-2022-23635

References for CVE-2022-23635