Ill-formed headers may lead to unexpected behavior in Istio
CVE-2022-31045

7HIGH

Key Information:

Vendor: Istio
Status: Istio
Vendor: CVE Published:; 9 June 2022

What is CVE-2022-31045?

Istio is an open platform to connect, manage, and secure microservices. In affected versions ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic. This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1. Users are advised to upgrade. There are no known workarounds for this issue.

Affected Version(s)

istio < 1.12.18 < 1.12.18

istio >= 1.13.0, < 1.13.5 < 1.13.0, 1.13.5

istio >= 1.14.0, < 1.14.1 < 1.14.0, 1.14.1

References

https://github.com/istio/istio/security/advisories/GHSA-x...

x_refsource_CONFIRM

https://istio.io/latest/news/security/istio-security-2022-05

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2022
Vulnerability Reserved
May 18, 2022

CVE-2022-31045 Data

JSON