CVE-2022-23606
Crash when a cluster is deleted in Envoy
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.
Envoy es un proxy de borde y servicio de código abierto, diseñado para aplicaciones nativas de la nube. Cuando se elimina un clúster a través del Servicio de Descubrimiento de Clústeres (CDS), se desconectan todas las conexiones inactivas establecidas con los puntos finales de ese clúster. Se introdujo una recursión en el procedimiento de desconexión de las conexiones inactivas que puede llevar al agotamiento de la pila y a la terminación anormal del proceso cuando un clúster tiene un gran número de conexiones inactivas. Esta recursión infinita hace que Envoy se bloquee. Se aconseja a los usuarios que actualicen
A flaw was found in envoy. When a cluster is deleted via the Cluster Discovery Service, a stack exhaustion may occur.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-19 CVE Reserved
- 2022-02-22 CVE Published
- 2023-09-15 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-674: Uncontrolled Recursion
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/envoyproxy/envoy/security/advisories/GHSA-9vp2-4cp7-vvxf | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/envoyproxy/envoy/commit/4b6dd3b53cd5c6d4d4df378a2fc62c1707522b31 | 2022-03-02 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2022-23606 | 2022-04-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2050758 | 2022-04-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | >= 1.20.0 < 1.20.2 Search vendor "Envoyproxy" for product "Envoy" and version " >= 1.20.0 < 1.20.2" | - |
Affected
| ||||||
Envoyproxy Search vendor "Envoyproxy" | Envoy Search vendor "Envoyproxy" for product "Envoy" | 1.21.0 Search vendor "Envoyproxy" for product "Envoy" and version "1.21.0" | - |
Affected
|