CVE-2021-43826

Crash when tunneling TCP over HTTP in Envoy

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions of Envoy a crash occurs when configured for :ref:`upstream tunneling <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config>` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established. There are no workarounds for this issue. Users are advised to upgrade.

Envoy es un proxy de borde y servicio de código abierto, diseñado para aplicaciones nativas de la nube. En las versiones afectadas de Envoy se produce un bloqueo cuando es configurada para :ref:"upstream tunneling (envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config)" y la conexión de bajada es desconectada mientras sigue estableciendo la conexión de subida o el flujo http/2. No se presentan medidas de mitigación para este problema. Es recomendado a usuarios actualizar

A flaw was found in envoy. If a downstream source disconnects during upstream connection establishment when tunneling TCP over HTTP, a use-after-free can occur, resulting in a denial of service.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-02-22 CVE Published
2023-09-15 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (4)

URL	Tag	Source
https://github.com/envoyproxy/envoy/security/advisories/GHSA-cmx3-fvgf-83mf	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/envoyproxy/envoy/commit/ce0ae309057a216aba031aff81c445c90c6ef145	2022-03-02

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-43826	2022-04-07
https://bugzilla.redhat.com/show_bug.cgi?id=2050748	2022-04-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				< 1.18.6 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.18.6"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.19.0 < 1.19.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.19.0 < 1.19.3"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.20.0 < 1.20.2 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.20.0 < 1.20.2"		-		Affected
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				>= 1.21.0 < 1.21.1 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.21.0 < 1.21.1"		-		Affected