CVE-2022-21654
Incorrect configuration handling allows TLS session re-use without re-validation in Envoy
In short
Envoy proxy can reuse old TLS connections even after certificate validation settings are changed, allowing encrypted communications to bypass updated security checks. This means security improvements you apply might not actually protect new connections.
Technical detail
Envoy's TLS session resumption mechanism fails to invalidate cached sessions when certificate validation configuration deviates from defaults, enabling session re-use without re-validation of the peer certificate. This affects any deployment with non-default cert validation settings and allows potential man-in-the-middle attacks on resumed sessions.
Summary generated and translated by AI from the official description.
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
envoyproxy · envoyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →