CVE-2022-23635 is a vulnerability in the Istio service mesh platform, specifically affecting the Istio control plane component called 'istiod'. Istio is widely used to connect, manage, and secure microservices in cloud-native environments. The vulnerability arises from improper authentication (CWE-287) on a request processing endpoint served over TLS on port 15012. This endpoint does not require any authentication, allowing an unauthenticated attacker to send specially crafted messages that cause the Istio control plane to crash. The crash results in a denial of service (DoS) condition, disrupting the management and security functions of the microservices mesh. In typical single-cluster deployments, the istiod endpoint on port 15012 is only accessible within the cluster network, which limits exposure. However, in multicluster topologies or certain deployment configurations, this port may be exposed to the public internet, significantly increasing the attack surface. No effective workarounds exist other than upgrading to patched versions. Network-level access restrictions to limit which clients can reach istiod can reduce the risk but do not eliminate it. The affected versions include Istio releases from 1.11.0 up to but not including 1.11.7, 1.12.0 up to but not including 1.12.4, and 1.13.0 up to but not including 1.13.1. This vulnerability does not require user interaction or authentication, and no known exploits have been observed in the wild as of the publication date. The impact is primarily availability-related due to the control plane crash, but given Istio’s critical role in microservices communication and security, the disruption can have cascading effects on application stability and security enforcement.

For European organizations leveraging Istio for microservices management, this vulnerability poses a significant risk to service availability and operational continuity. The control plane crash can interrupt service mesh functions such as traffic routing, policy enforcement, and security controls, potentially leading to degraded application performance or outages. Organizations with multicluster or hybrid cloud deployments that expose the istiod endpoint externally are at higher risk of remote exploitation. This could affect critical infrastructure, financial services, telecommunications, and other sectors heavily reliant on cloud-native architectures. The lack of authentication on the vulnerable endpoint means attackers do not need credentials or user interaction, increasing the ease of exploitation if the endpoint is exposed. While no active exploits have been reported, the potential for denial of service attacks could disrupt business operations, compliance with service-level agreements, and customer trust. Additionally, the inability to enforce authentication on this endpoint could be leveraged in combination with other vulnerabilities to escalate attacks within the network.

1. Immediate upgrade to a patched Istio version beyond 1.11.7, 1.12.4, or 1.13.1 as applicable to your deployment is the most effective mitigation. 2. Restrict network access to the istiod control plane port (15012) using firewall rules, network policies, or service mesh ingress controls to allow only trusted clients and internal cluster traffic. 3. For multicluster deployments, ensure that the istiod endpoint is not exposed to the public internet or is protected behind VPNs or secure tunnels. 4. Implement continuous monitoring and alerting for unusual traffic patterns targeting port 15012 to detect potential exploitation attempts. 5. Regularly audit Istio configurations and deployment topologies to minimize unnecessary exposure of control plane endpoints. 6. Employ defense-in-depth by combining network segmentation, zero-trust principles, and strong identity and access management for microservices communication. 7. Stay informed on Istio security advisories and apply patches promptly to address emerging vulnerabilities.