CVE-2022-29224
Segmentation fault leading to crash in Envoy
In short
Envoy proxy crashes when a gRPC health check fails on a host that was already removed from service discovery, due to a null pointer error. An attacker controlling both the upstream host and service discovery can trigger this crash.
Technical detail
CWE-476 null pointer dereference in GrpcHealthCheckerImpl occurs when gRPC health checks are performed on hosts held in memory after removal from service discovery. Attack vector requires control of upstream host and service discovery mechanism (DNS, EDS API); impact is denial of service via process crash.
Summary generated and translated by AI from the official description.
Envoy is a cloud-native high-performance proxy. Versions of envoy prior to 1.22.1 are subject to a segmentation fault in the GrpcHealthCheckerImpl. Envoy can perform various types of upstream health checking. One of them uses gRPC. Envoy also has a feature which can “hold” (prevent removal) upstream hosts obtained via service discovery until configured active health checking fails. If an attacker controls an upstream host and also controls service discovery of that host (via DNS, the EDS API, etc.), an attacker can crash Envoy by forcing removal of the host from service discovery, and then failing the gRPC health check request. This will crash Envoy via a null pointer dereference. Users are advised to upgrade to resolve this vulnerability. Users unable to upgrade may disable gRPC health checking and/or replace it with a different health checking type as a mitigation.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
envoyproxy · envoyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →