istio.io/content/en/news/security/istio-security-2022-002/index.md

title	subtitle	description	cves	cvss	vector	releases	publishdate	keywords	skip_seealso
ISTIO-SECURITY-2022-002	Security Bulletin	Privileged Escalation in Kubernetes Gateway API.	CVE-2022-21701	4.7	AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L	1.12.0 to 1.12.1	2022-01-18	CVE	true

{{< security_bulletin >}}

CVE

CVE-2022-21701

Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod.

Am I Impacted?

This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable.

Your cluster may be impacted if:

• You have the Kubernetes Gateway CRD installed. This can be detected with kubectl get crd gateways.gateway.networking.k8s.io.
• You have not set the PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false environment variable in Istiod (this is defaulted to true).
• Untrusted users have CREATE permissions for gateways.gateway.networking.k8s.io objects.

Workarounds

If you are unable to upgrade, any of the following will prevent this vulnerability:

• Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition.
• Set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false environment variable in Istiod.
• Remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.

Credit

We would like to thank Anthony Weems.