CVE-2022-39278: 
Istio Control Plane (istiod) vulnerability analysis and mitigation

The Istio control plane (istiod) vulnerability, identified as CVE-2022-39278, was discovered and patched in October 2022. This vulnerability affects all versions of Istio prior to versions 1.15.2, 1.14.5, and 1.13.9. The vulnerability exists in the control plane's request processing system, specifically when the Kubernetes validating or mutating webhook service is exposed publicly over TLS port 15017 (GitHub Advisory).

The vulnerability stems from an error in the regexp.Compile function in Go, which affects the Istio control plane's ability to handle specially crafted or oversized messages. The service operates over TLS port 15017 and notably does not require authentication from potential attackers. While typically only reachable from within the cluster in simple installations, some deployments, particularly external istiod topologies, may expose this port to the public internet (GitHub Advisory).

When exploited, this vulnerability can result in the control plane crashing when processing specially crafted or oversized messages. The impact is particularly significant for deployments where the istiod service is exposed to the public internet, though the blast radius is typically limited in simple installations where istiod is only reachable from within the cluster (GitHub Advisory).

The vulnerability has been patched in Istio versions 1.15.2, 1.14.5, and 1.13.9. No effective workarounds exist beyond upgrading to these patched versions. The fix includes replacing all uses of stdlib regexp with the Go 1.19.2 stdlib implementation to guard against DOS via malformed regular expressions (Istio Release).