Privileged Escalation in Kubernetes Gateway API.
|CVSS Impact Score||4.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L|
|Affected Releases||1.12.0 to 1.12.1|
Istio version 1.12.0 and 1.12.1 are vulnerable to a privilege escalation attack. Users who have
CREATE permission for
gateways.gateway.networking.k8s.io objects can escalate this privilege to create other resources that they may not have access to, such as
Am I Impacted?
This vulnerability impacts only an Alpha level feature, the Kubernetes Gateway API. This is not the same as the Istio
Gateway type (
gateways.networking.istio.io), which is not vulnerable.
Your cluster may be impacted if:
- You have the Kubernetes Gateway CRD installed. This can be detected with
kubectl get crd gateways.gateway.networking.k8s.io.
- You have not set the
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=falseenvironment variable in Istiod (this is defaulted to
- Untrusted users have
If you are unable to upgrade, any of the following will prevent this vulnerability:
- Remove the
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER=falseenvironment variable in Istiod.
gateways.gateway.networking.k8s.ioobjects from untrusted users.
We would like to thank Anthony Weems.