Login Sign Up

CVE-2022-24726

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2022-24726 is a denial-of-service vulnerability in Istio's control plane (istiod) where a specially crafted message to the validating webhook endpoint on port 15017 can crash the control plane. This affects deployments where the validating webhook is exposed publicly, particularly external istiod topologies. The vulnerability requires no authentication from the attacker.

💻 Affected Systems

Products:
  • Istio
Versions: Istio versions before 1.13.2, 1.12.5, and 1.11.8
Operating Systems: All platforms running Istio
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when validating webhook endpoint (port 15017) is exposed to untrusted networks. Default installations typically have this port accessible only within the cluster.

📦 What is this software?

Istio by Istio

View all CVEs affecting Istio →

Istio by Istio

View all CVEs affecting Istio →

Istio by Istio

View all CVEs affecting Istio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of Istio control plane leading to service mesh disruption, inability to manage traffic routing, and potential cascading failures in microservices.

🟠

Likely Case

Temporary service disruption requiring istiod restart, impacting new deployments and configuration changes during the outage.

🟢

If Mitigated

No impact if validating webhook is not exposed or properly firewalled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to port 15017 and knowledge of the vulnerable endpoint. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Istio 1.13.2, 1.12.5, or 1.11.8

Vendor Advisory: https://github.com/istio/istio/security/advisories/GHSA-8w5h-qr4r-2h6g

Restart Required: Yes

Instructions:

1. Backup current Istio configuration. 2. Upgrade Istio control plane to patched version using istioctl upgrade or Helm. 3. Restart istiod pods. 4. Verify upgrade with istioctl version.

🔧 Temporary Workarounds

Restrict network access to port 15017

all

Apply network policies or firewall rules to restrict access to istiod's validating webhook endpoint to trusted IPs only.

kubectl apply -f network-policy.yaml

🧯 If You Can't Patch

  • Implement strict network segmentation to prevent external access to port 15017
  • Monitor istiod pod restarts and implement rate limiting on the validating webhook endpoint

🔍 How to Verify

Check if Vulnerable:

Check if istiod version is below 1.13.2, 1.12.5, or 1.11.8 and port 15017 is exposed to untrusted networks.

Check Version:

istioctl version

Verify Fix Applied:

Verify istiod version is 1.13.2+, 1.12.5+, or 1.11.8+ and test that crafted requests to port 15017 no longer crash the service.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected istiod pod crashes/restarts
  • Error logs mentioning validating webhook failures

Network Indicators:

  • Unusual traffic patterns to port 15017 from external IPs
  • High volume of requests to validating webhook endpoint

SIEM Query:

source.port=15017 AND (http.status=500 OR connection.reset)

📊 Metadata

CVE ID: CVE-2022-24726
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: March 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24726, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)