CVE-2022-21657
X.509 Extended Key Usage and Trust Purposes bypass in Envoy
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.
Envoy es un proxy de borde y servicio de código abierto, diseñado para aplicaciones nativas de la nube. En las versiones afectadas, Envoy no restringe el conjunto de certificados que acepta del par, ya sea como cliente TLS o como servidor TLS, a sólo aquellos certificados que contienen el extendedKeyUsage necesario (id-kp-serverAuth e id-kp-clientAuth, respectivamente). Esto significa que un par puede presentar un certificado de correo electrónico (por ejemplo, id-kp-emailProtection), ya sea como certificado de hoja o como CA en la cadena, y será aceptado para TLS. Esto es particularmente malo cuando es combinado con el problema descrito en la petición #630, en el sentido de que permite que una CA de PKI de la Web que está destinada sólo a ser usada con S/MIME, y por lo tanto exenta de auditoría o supervisión, emita certificados TLS que serán aceptados por Envoy. En consecuencia, Envoy confiará en certificados de origen que no deberían ser confiables. No se conocen medidas de mitigación a este problema. Es recomendado a usuarios actualizar
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-02-22 CVE Published
- 2023-09-15 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/envoyproxy/envoy/pull/630 | 2022-03-07 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | < 1.18.6 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.18.6" | - |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.19.0 < 1.19.3 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.19.0 < 1.19.3" | - |
Affected
| ||||||
| Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.20.0 < 1.20.2 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.20.0 < 1.20.2" | - |
Affected
| ||||||