Security release of Envoy [1.22.1, 1.21.3, 1.20.4, 1.19.5] is now available

107 views
Skip to first unread message

Matt Klein

unread,
Jun 9, 2022, 12:18:17 PMJun 9
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers, Pradeep Rao
Hello Envoy Community,

The Envoy security team would like to announce the availability of Envoy [1.22.1, 1.21.3, 1.20.4, 1.19.5].

This addresses the following CVE(s):
  • CVE-2022-29225 (CVSS score 7.5, High): Decompressors can be zip bombed
    • Decompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload.
  • CVE-2022-29224 (CVSS score 5.9, Medium): Segfault in GrpcHealthCheckerImpl
    • An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
  • CVE-2022-29226 (CVSS score 10.0, Critical): oauth filter allows trivial bypass
    • The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
  • CVE-2022-29228 (CVSS score 7.5, High): oauth filter calls continueDecoding() from within decodeHeaders()
    • The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
  • CVE-2022-29227 (CVSS score 7.5, High): Internal redirect crash for requests with body/trailers
    • Envoy internal redirects for requests with bodies or trailers are not safe if the redirect prompts an Envoy-generated local reply.
Upgrading to [1.22.1, 1.21.3, 1.20.4, 1.19.5] is encouraged to fix these issues. Releases have been tagged and images will be published shortly. Further details of each vulnerability can be obtained in the associated security advisory links above.

**How do I upgrade?**

Update to [1.22.1, 1.21.3, 1.20.4, 1.19.5] via your Envoy distribution or rebuild from the Envoy GitHub source at the [1.22.1, 1.21.3, 1.20.4, 1.19.5] tag or HEAD @ main.

**Thank you**

Thank you to reporters, fix developers, and the release team for the coordination in making this release.

Thanks,
Matt and Pradeep (on behalf of the Envoy security team and maintainers)

Matt Klein

unread,
Jun 10, 2022, 4:24:09 PMJun 10
to envoy-secur...@googlegroups.com, ry...@synca.io, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers, Pradeep Rao
Hi all,

We had trouble shipping the images for v1.22.1, so we did some build fixes and tagged and shipped v1.22.2 which should be out now. Sorry for the trouble and huge thanks to @ry...@synca.io for helping to get this done.

Thanks,
Matt
Reply all
Reply to author
Forward
0 new messages