CVE-2022-31045 — Ill-formed headers may lead to unexpected behavior in Istio

Description

### Impact Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. You are at most risk if you have an Istio ingress Gateway exposed to external traffic. ### Patches 1.12.8, 1.13.5, 1.14.1 ### Workarounds No. ### References More details can be found in the [Istio Security Bulletin](https://istio.io/latest/news/security/istio-security-2022-05) ### For more information If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-31045

To remediate CVE-2022-31045, upgrade the affected package to a fixed version below.

—upgrade to 1.12.18 or later

Is CVE-2022-31045 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.12.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31045
PATCHgithub.com/istio/istio
WEBgithub.com/istio/istio/security/advisories/GHSA-xwx5-5c9g-x68x
WEBistio.io/latest/news/security/istio-security-2022-05