CVE-2022-29224

low-risk
Published 2022-06-09

Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Envoyproxy

References (4)

Patch https://github.com/envoyproxy/envoy/commit/9b1c3962172a972bc0359398af6daa3790bb5...
Third Party Advisory https://github.com/envoyproxy/envoy/security/advisories/GHSA-m4j9-86g3-8f49
Patch https://github.com/envoyproxy/envoy/commit/9b1c3962172a972bc0359398af6daa3790bb5...
Third Party Advisory https://github.com/envoyproxy/envoy/security/advisories/GHSA-m4j9-86g3-8f49
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal