CVE-2022-21701

Name of the Vulnerable Software and Affected Versions Istio versions 1.12.0 through 1.12.1

Description Istio is an open platform to connect, manage, and secure microservices. The issue allows users with CREATE permission for gateways.gateway.networking.k8s.io objects to escalate this privilege and create other resources they may not have access to, such as Pod. This impacts only the Alpha level feature, the Kubernetes Gateway API, and not the Istio Gateway type.

Recommendations For versions 1.12.0 and 1.12.1, upgrade to a newer version to resolve the issue. As a temporary workaround for versions 1.12.0 and 1.12.1, consider one of the following: remove the gateways.gateway.networking.k8s.io CustomResourceDefinition, set the PILOT ENABLE GATEWAY API DEPLOYMENT CONTROLLER=true environment variable in Istiod, or remove CREATE permissions for gateways.gateway.networking.k8s.io objects from untrusted users.