Impact
Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have CREATE permission for gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as Pod.
Am I Impacted?
This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio Gateway type (gateways.networking.istio.io), which is not vulnerable.
Your cluster may be impacted if:
- You have the Kubernetes Gateway CRD installed. This can be detected with
kubectl get crd gateways.gateway.networking.k8s.io.
- You have not set the
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false environment variable in Istiod (this is defaulted to true).
- Untrusted users have
CREATE permissions for gateways.gateway.networking.k8s.io objects.
Patches
Istio 1.12.2+ are patched.
Older Istio versions are not impacted.
Workarounds
If you are unable to upgrade, any of the following will prevent this vulnerability:
- Remove the
gateways.gateway.networking.k8s.io CustomResourceDefinition.
- Set
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=false environment variable in Istiod.
- Remove
CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.
For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com
Impact
Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have
CREATEpermission forgateways.gateway.networking.k8s.ioobjects can escalate this privilege to create other resources that they may not have access to, such asPod.Am I Impacted?
This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio
Gatewaytype (gateways.networking.istio.io), which is not vulnerable.Your cluster may be impacted if:
kubectl get crd gateways.gateway.networking.k8s.io.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=falseenvironment variable in Istiod (this is defaulted totrue).CREATEpermissions forgateways.gateway.networking.k8s.ioobjects.Patches
Istio 1.12.2+ are patched.
Older Istio versions are not impacted.
Workarounds
If you are unable to upgrade, any of the following will prevent this vulnerability:
gateways.gateway.networking.k8s.ioCustomResourceDefinition.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=falseenvironment variable in Istiod.CREATEpermissions forgateways.gateway.networking.k8s.ioobjects from untrusted users.For more information
If you have any questions or comments about this advisory, please email us at istio-security-vulnerability-reports@googlegroups.com