CVE-2022-21657

low-risk

Published 2022-02-22

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.8/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Envoy

Affected Vendors

Envoyproxy

References (4)

Patch https://github.com/envoyproxy/envoy/pull/630

Issue Tracking https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g

Patch https://github.com/envoyproxy/envoy/pull/630

Issue Tracking https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal