Vulnerability Name:

CVE-2022-21701 (CCN-217822)

Assigned:2021-11-16
Published:2022-01-18
Updated:2022-01-27
Summary:Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
4.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)
4.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-863
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2022-21701

Source: XF
Type: UNKNOWN
istio-cve202221701-priv-esc(217822)

Source: CCN
Type: Istio GIT Repository
Privileged Escalation in Kubernetes Gateway API

Source: CONFIRM
Type: Third Party Advisory
https://github.com/istio/istio/security/advisories/GHSA-mq8f-9446-c28r

Source: MISC
Type: Mitigation, Release Notes, Vendor Advisory
https://istio.io/latest/news/releases/1.12.x/announcing-1.12.2/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:istio:istio:1.12.0:-:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:alpha0:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:alpha1:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:alpha5:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:beta0:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:istio:istio:1.12.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    istio istio 1.12.0 -
    istio istio 1.12.0 alpha0
    istio istio 1.12.0 alpha1
    istio istio 1.12.0 alpha5
    istio istio 1.12.0 beta0
    istio istio 1.12.0 beta1
    istio istio 1.12.0 beta2
    istio istio 1.12.0 rc1
    istio istio 1.12.1