mirror of https://github.com/istio/istio.io.git
42 lines
1.7 KiB
Markdown
42 lines
1.7 KiB
Markdown
---
|
|
title: ISTIO-SECURITY-2022-002
|
|
subtitle: Security Bulletin
|
|
description: Privileged Escalation in Kubernetes Gateway API.
|
|
cves: [CVE-2022-21701]
|
|
cvss: "4.7"
|
|
vector: "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
|
|
releases: ["1.12.0 to 1.12.1"]
|
|
publishdate: 2022-01-18
|
|
keywords: [CVE]
|
|
skip_seealso: true
|
|
---
|
|
|
|
{{< security_bulletin >}}
|
|
|
|
## CVE
|
|
|
|
### CVE-2022-21701
|
|
|
|
Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`.
|
|
|
|
## Am I Impacted?
|
|
|
|
This vulnerability impacts only an Alpha level feature, the [Kubernetes Gateway API](/docs/tasks/traffic-management/ingress/gateway-api/). This is not the same as the Istio `Gateway` type (`gateways.networking.istio.io`), which is not vulnerable.
|
|
|
|
Your cluster may be impacted if:
|
|
* You have the Kubernetes Gateway CRD installed. This can be detected with `kubectl get crd gateways.gateway.networking.k8s.io`.
|
|
* You have not set the `PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false` environment variable in Istiod (this is defaulted to `true`).
|
|
* Untrusted users have `CREATE` permissions for `gateways.gateway.networking.k8s.io` objects.
|
|
|
|
## Workarounds
|
|
|
|
If you are unable to upgrade, any of the following will prevent this vulnerability:
|
|
|
|
* Remove the `gateways.gateway.networking.k8s.io` `CustomResourceDefinition`.
|
|
* Set `PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false` environment variable in Istiod.
|
|
* Remove `CREATE` permissions for `gateways.gateway.networking.k8s.io` objects from untrusted users.
|
|
|
|
## Credit
|
|
|
|
We would like to thank Anthony Weems.
|