CVE-2022-23606

Summary

Envoy is an open source edge and service proxy, designed for cloud-native applications. When a cluster is deleted via Cluster Discovery Service (CDS) all idle connections established to endpoints in that cluster are disconnected. A recursion was introduced in the procedure of disconnecting idle connections that can lead to stack exhaustion and abnormal process termination when a cluster has a large number of idle connections. This infinite recursion causes Envoy to crash. Users are advised to upgrade.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy>= 1.20.0, < 1.20.2affected
envoyproxyenvoy>= 1.21.0, < 1.21.1affected

Weaknesses

  • CWE-674: CWE-674: Uncontrolled Recursion

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References