// For flags

CVE-2022-29224

Segmentation fault leading to crash in Envoy

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.

Envoy es un proxy de alto rendimiento nativo de la nube. Las versiones de Envoy anteriores a 1.22.1 están sujetas a un fallo de segmentación en el GrpcHealthCheckerImpl. Envoy puede llevar a cabo varios tipos de comprobación de la salud de los usuarios. Uno de ellos usa gRPC. Envoy también presenta una función que puede "retener" (impedir la eliminación) los hosts upstream obtenidos por medio de la detección de servicios hasta que falle la comprobación de salud activa configurada. Si un atacante controla un host upstream y también controla la detección de servicios de ese host (a través de DNS, la API EDS, etc.), un atacante puede bloquear Envoy al forzar la eliminación del host de la detección de servicios, y luego fallando la petición de comprobación de salud gRPC. Esto bloqueará Envoy por medio de una desreferencia de puntero null. Es recomendado a usuarios actualizar para resolver esta vulnerabilidad. Los usuarios que no puedan actualizar pueden deshabilitar la comprobación de estado de gRPC y/o sustituirla por un tipo de comprobación de estado diferente como medida de mitigación

A flaw was found in Envoy. This flaw allows an attacker who controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.) to crash Envoy by forcing the removal of the host from service discovery and then failing the gRPC health check request. This issue crashes Envoy via a NULL pointer dereference.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-04-13 CVE Reserved
  • 2022-06-09 CVE Published
  • 2023-12-31 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Envoyproxy
Search vendor "Envoyproxy"
Envoy
Search vendor "Envoyproxy" for product "Envoy"
< 1.22.1
Search vendor "Envoyproxy" for product "Envoy" and version " < 1.22.1"
-
Affected