Is CVE-2022-24726 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 2%.

What products does CVE-2022-24726 affect?

Tracked products affected include Istio. Check the version you run to see whether it is affected.

How do I fix CVE-2022-24726?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2022-24726

Q: What is CVE-2022-24726?

CVE-2022-24726 is a high-severity software vulnerability (Uncontrolled resource consumption) with a CVSS score of 7.5. Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message

HIGH severity · CVSS 7.5 · Uncontrolled resource consumption

7.5CVSS HIGH

Summary

Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, istiod, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing when the validating webhook for a cluster is exposed publicly. This endpoint is served over TLS port 15017, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [external istiod](https://istio.io/latest/docs/setup/install/external-controlplane/) topologies, this port is exposed over the public internet. This issue has been patched in versions 1.13.2, 1.12.5 and 1.11.8. Users are advised to upgrade. Users unable to upgrade should disable access to a validating webhook that is exposed to the public internet or restrict the set of IP addresses that can query it to a set of known, trusted entities.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)2%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

Istio

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/golang/go/issues/51112 ↗

CVE-2022-24726

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information