CVE-2022-29224

Segmentation fault leading to crash in Envoy

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.

Envoy es un proxy de alto rendimiento nativo de la nube. Las versiones de Envoy anteriores a 1.22.1 están sujetas a un fallo de segmentación en el GrpcHealthCheckerImpl. Envoy puede llevar a cabo varios tipos de comprobación de la salud de los usuarios. Uno de ellos usa gRPC. Envoy también presenta una función que puede "retener" (impedir la eliminación) los hosts upstream obtenidos por medio de la detección de servicios hasta que falle la comprobación de salud activa configurada. Si un atacante controla un host upstream y también controla la detección de servicios de ese host (a través de DNS, la API EDS, etc.), un atacante puede bloquear Envoy al forzar la eliminación del host de la detección de servicios, y luego fallando la petición de comprobación de salud gRPC. Esto bloqueará Envoy por medio de una desreferencia de puntero null. Es recomendado a usuarios actualizar para resolver esta vulnerabilidad. Los usuarios que no puedan actualizar pueden deshabilitar la comprobación de estado de gRPC y/o sustituirla por un tipo de comprobación de estado diferente como medida de mitigación

A flaw was found in Envoy. This flaw allows an attacker who controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.) to crash Envoy by forcing the removal of the host from service discovery and then failing the gRPC health check request. This issue crashes Envoy via a NULL pointer dereference.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-13 CVE Reserved
2022-06-09 CVE Published
2023-12-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-476: NULL Pointer Dereference

CAPEC

References (4)

URL	Tag	Source
https://github.com/envoyproxy/envoy/security/advisories/GHSA-m4j9-86g3-8f49	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/envoyproxy/envoy/commit/9b1c3962172a972bc0359398af6daa3790bb59db	2023-11-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-29224	2022-06-13
https://bugzilla.redhat.com/show_bug.cgi?id=2088738	2022-06-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Envoyproxy Search vendor "Envoyproxy"		Envoy Search vendor "Envoyproxy" for product "Envoy"				< 1.22.1 Search vendor "Envoyproxy" for product "Envoy" and version " < 1.22.1"		-		Affected