CVE-2022-29224 : Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.

Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can â€œholdâ€? (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.

Published 2022-06-09 19:15:10

Updated 2023-02-23 17:53:27

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2022-29224

Envoyproxy » Envoy
Versions before (<) 1.22.1
cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-29224

EPSS FAQ

0.23%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-29224

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-29224

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-29224

https://github.com/envoyproxy/envoy/commit/9b1c3962172a972bc0359398af6daa3790bb59db

healthcheck: fix grpc inline removal crashes (#749) · envoyproxy/envoy@9b1c396 · GitHub
Patch
https://github.com/envoyproxy/envoy/security/advisories/GHSA-m4j9-86g3-8f49

Segfault in GrpcHealthCheckerImpl · Advisory · envoyproxy/envoy · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-29224

Products affected by CVE-2022-29224

Exploit prediction scoring system (EPSS) score for CVE-2022-29224

CVSS scores for CVE-2022-29224

CWE ids for CVE-2022-29224

References for CVE-2022-29224