Help Center>
Application Service Mesh>
Product Bulletin>
Vulnerability Notices>
Unauthenticated Control Plane DoS Attack (CVE-2022-23635)
Updated on 2024-05-11 GMT+08:00
Unauthenticated Control Plane DoS Attack (CVE-2022-23635)
Description
Vulnerability Type |
CVE-ID |
Discovered |
|---|---|---|
DoS |
CVE-2022-23635 |
2022-02-22 |
Impact Score
7.5 (high risk)
Trigger Conditions
- For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius.
- For multi-cluster installations, port 15012 is exposed over a public network.
Root Cause
Istiod can process requests received on port 15012 even without authentication information. However, if there are too many requests sent to this port, Istiod will become unavailable.
Affected Versions
Istio earlier than 1.13.1
Patches
- ASM 1.8.4-r5 or later
- Istio 1.13.1 or later
- Istio 1.12.4 or later
- Istio 1.11.7 or later
Workarounds
There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.
Helpful Links
- Istio official website: Security Notice
- Istio community: Vulnerability Notice
Parent topic: Vulnerability Notices
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
