Summary
The Istio control plane, istiod, is vulnerable to a request processing error that allows a malicious attacker to crash the control plane by sending a specially crafted message. This endpoint is served over TLS port 15012 and does not require any authentication from the attacker.
Impact
For simple Istio installations, istiod is typically only reachable from within the cluster, which limits exposure to internal actors. However, for multicluster deployments using a primary-remote topology, TLS port 15012 may be exposed over the public internet, making the vulnerability remotely exploitable without authentication. A successful attack crashes istiod, halting certificate rotation and configuration distribution for all mesh members. There are no effective workarounds beyond upgrading; however, restricting network access to istiod to the minimal set of clients can reduce the scope.
Detection
Check for unexpected istiod pod restarts using kubectl -n istio-system get pods and review istiod logs for fatal or panic-level errors. For multicluster deployments, audit firewall and network policy rules to determine whether TLS port 15012 is reachable from external networks.
Mitigation
Upgrade Istio to a patched version on the appropriate release line:
- Istio 1.13.1 or later (for the 1.13 line)
- Istio 1.12.4 or later (for the 1.12 line)
- Istio 1.11.7 or later (for the 1.11 line)
There are no effective workarounds beyond upgrading. Limiting network access to istiod to the minimal set of trusted clients can partially reduce the attack surface while an upgrade is planned.