TL;DR: Mainline Envoy builds use BoringSSL and are NOT affected. Any custom builds using OpenSSL will have to do their own analysis.
OpenSSL CVE's:
CVE-2022-1292
CVE-2022-1343
CVE-2022-1434
CVE-2022-1273
are all based on code BoringSSL does not include. BoringSSL is happily living up to its name :-)
best,
Alyssa, on behalf of Envoy Security Team.