CVE-2022-29227
Use after free in Envoy
In short
Envoy proxy has a use-after-free vulnerability when handling internal redirects of HTTP requests with bodies. If Envoy sends a local reply during the redirect process, it tries to reset an already-deleted upstream stream, causing a crash that could be exploited to disrupt service.
Technical detail
CWE-416 use-after-free in Envoy's internal redirect handling (versions <1.22.1) occurs when a local reply is sent during redirect header processing while the upstream stream has already been deleted. The vulnerability requires an HTTP request with body content and internal redirect configuration enabled; successful exploitation results in memory corruption and service denial.
Summary generated and translated by AI from the official description.
Envoy is a cloud-native high-performance edge/middle/service proxy. In versions prior to 1.22.1 if Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers, there’s a lifetime bug which can be triggered. If while replaying the request Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete. On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually complete, and deleted, this result in a use-after-free. Users are advised to upgrade. Users unable to upgrade are advised to disable internal redirects if crashes are observed.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
envoyproxy · envoyWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →