Summary
The Istio control plane, istiod, is vulnerable to a request processing error that causes a stack exhaustion crash. A malicious attacker who sends a specially crafted or oversized message to the Kubernetes validating or mutating webhook service can crash istiod. This endpoint is served over TLS port 15017 and does not require any authentication from the attacker.
Impact
For simple Istio installations, istiod is typically only reachable from within the cluster. However, for deployments using external istiod topologies, this port may be exposed over the public internet, making the vulnerability remotely exploitable by any unauthenticated attacker. Crashing istiod disrupts certificate rotation, policy distribution, and configuration push for all sidecars in the mesh. The CVSS score of 7.5 reflects the network-accessible, no-authentication-required nature of the attack with a full availability impact.
Detection
Monitor istiod for unexpected crashes or pod restarts via kubectl -n istio-system get pods. Inspect istiod logs for stack overflow or fatal error output. If port 15017 is exposed beyond the cluster boundary, review network-level logs for unexpected connection attempts from external sources.
Mitigation
Upgrade Istio to a patched version on the appropriate release line:
- Istio 1.13.2 or later (for the 1.13 line)
- Istio 1.12.5 or later (for the 1.12 line)
- Istio 1.11.8 or later (for the 1.11 line)
As a workaround, disable external access to the validating webhook service or restrict the set of IP addresses that can reach TLS port 15017 to a known, trusted set of sources.