CVE-2022-21655

Summary

Envoy is an open source edge and service proxy, designed for cloud-native applications. The envoy common router will segfault if an internal redirect selects a route configured with direct response or redirect actions. This will result in a denial of service. As a workaround turn off internal redirects if direct response entries are configured on the same listener.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy< 1.18.6affected
envoyproxyenvoy>= 1.19.0, < 1.19.3affected
envoyproxyenvoy>= 1.20.0, < 1.20.2affected
envoyproxyenvoy>= 1.21.0, < 1.21.1affected

Weaknesses

  • CWE-670: CWE-670: Always-Incorrect Control Flow Implementation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References