What is CVE-2022-21701?

CVE-2022-21701 is a vulnerability in Istio versions 1.12.0 and 1.12.1 that allows privilege escalation.

What is the severity of CVE-2022-21701?

CVE-2022-21701 has a severity score of 8.8 out of 10, indicating a high severity.

How does CVE-2022-21701 impact Istio?

CVE-2022-21701 allows users with CREATE permission for gateways.gateway.networking.k8s.io objects to escalate their privilege and create other resources.

Which versions of Istio are affected by CVE-2022-21701?

Versions 1.12.0 and 1.12.1 of Istio are affected by CVE-2022-21701.

How can I fix CVE-2022-21701?

To fix CVE-2022-21701, upgrade your Istio installation to version 1.12.2 or apply the necessary patches provided by the Istio project.

Vulnerability/
CVE-2022-21701

high

8.8

CWE

863

19/1/2022

27/1/2022

CVE-2022-21701

First published: Wed Jan 19 2022(Updated: )

Istio is an open platform to connect, manage, and secure microservices. In versions 1.12.0 and 1.12.1 Istio is vulnerable to a privilege escalation attack. Users who have `CREATE` permission for `gateways.gateway.networking.k8s.io` objects can escalate this privilege to create other resources that they may not have access to, such as `Pod`. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable. Users are advised to upgrade to resolve this issue. Users unable to upgrade should implement any of the following which will prevent this vulnerability: Remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Istio Istio	=1.12.0
Istio Istio	=1.12.0-alpha0
Istio Istio	=1.12.0-alpha1
Istio Istio	=1.12.0-alpha5
Istio Istio	=1.12.0-beta0
Istio Istio	=1.12.0-beta1
Istio Istio	=1.12.0-beta2
Istio Istio	=1.12.0-rc1
Istio Istio	=1.12.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-21701?
CVE-2022-21701 is a vulnerability in Istio versions 1.12.0 and 1.12.1 that allows privilege escalation.
What is the severity of CVE-2022-21701?
CVE-2022-21701 has a severity score of 8.8 out of 10, indicating a high severity.
How does CVE-2022-21701 impact Istio?
CVE-2022-21701 allows users with CREATE permission for gateways.gateway.networking.k8s.io objects to escalate their privilege and create other resources.
Which versions of Istio are affected by CVE-2022-21701?
Versions 1.12.0 and 1.12.1 of Istio are affected by CVE-2022-21701.
How can I fix CVE-2022-21701?
To fix CVE-2022-21701, upgrade your Istio installation to version 1.12.2 or apply the necessary patches provided by the Istio project.

agent/weakness
agent/severity
agent/references
agent/author
agent/description
agent/type
agent/event
agent/softwarecombine
agent/first-publish-date
agent/last-modified-date
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/istio
canonical/istio istio
version/istio istio/1.12.0
version/istio istio/1.12.0-alpha0
version/istio istio/1.12.0-alpha1
version/istio istio/1.12.0-alpha5
version/istio istio/1.12.0-beta0
version/istio istio/1.12.0-beta1
version/istio istio/1.12.0-beta2
version/istio istio/1.12.0-rc1
version/istio istio/1.12.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.