Summary
The Istio control plane, istiod, is vulnerable to a request processing error caused by a defect in the Go standard library's regular expression handling. A malicious attacker who sends a specially crafted or oversized message to the Kubernetes validating or mutating webhook service can crash the control plane. This endpoint is served over TLS port 15017 and does not require any authentication.
Impact
For simple Istio installations, istiod is typically only reachable from within the cluster, which limits the blast radius to internal actors. However, deployments using external istiod topologies may expose this port over the public internet, making the vulnerability remotely exploitable without authentication. A successful exploit crashes the control plane, disrupting sidecar certificate rotation, policy distribution, and configuration updates across the mesh. There are no effective workarounds beyond upgrading, as the root cause is a bug in Go's regexp.Compile.
Detection
Monitor istiod for unexpected crashes or restarts. Cluster operators can review pod restart counts with kubectl -n istio-system get pods and inspect istiod logs for panic or fatal error messages. If istiod is exposed externally, review ingress and firewall logs for unexpected traffic to TLS port 15017.
Mitigation
Upgrade Istio to a patched version on the appropriate release line:
- Istio 1.15.2 or later (for the 1.15 line)
- Istio 1.14.5 or later (for the 1.14 line)
- Istio 1.13.9 or later (for the 1.13 line)
There are no effective workarounds beyond upgrading. As a defense-in-depth measure, restrict network access to TLS port 15017 on istiod to only trusted internal sources.