Privilege Escalation Affecting istio.io/istio/pilot/pkg/config/kube/gateway Open this link in a new tab package, versions >=1.12.0 <1.12.2
Attack Complexity
Low
Privileges Required
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-ISTIOIOISTIOPILOTPKGCONFIGKUBEGATEWAY-2348631
-
published
20 Jan 2022
-
disclosed
20 Jan 2022
-
credit
Unknown
Introduced: 20 Jan 2022
CVE-2022-21701 Open this link in a new tabHow to fix?
Upgrade istio.io/istio/pilot/pkg/config/kube/gateway
to version 1.12.2 or higher.
Overview
Affected versions of this package are vulnerable to Privilege Escalation. Users who have CREATE
permission for gateways.gateway.networking.k8s.io
objects can escalate this privilege to create other resources that they may not have access to, such as Pod
. This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API.
###Workaround:
Remove the
gateways.gateway.networking.k8s.io CustomResourceDefinition
, orSet
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=true
environment variable in Istiod, orRemove
CREATE
permissions forgateways.gateway.networking.k8s.io
objects from untrusted users.