CVE-2022-21657
published 2022-02-22CVE-2022-21657: Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it…
PriorityP434medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.51%
39.5th percentile
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| envoyproxy | envoy | < 1.18.6 | 1.18.6 |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | — | — |
| envoyproxy | envoy | >= 1.19.0 < 1.19.3 | 1.19.3 |
| envoyproxy | envoy | >= 1.20.0 < 1.20.2 | 1.20.2 |
| github.com | pomerium_pomerium | >= 0 < 0.16.4 | 0.16.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
envoy: X.509 Extended Key Usage and Trust Purposes bypass
vendor_redhat·2022-02-23·CVSS 6.8
CVE-2022-21657 [MEDIUM] CWE-295 envoy: X.509 Extended Key Usage and Trust Purposes bypass
envoy: X.509 Extended Key Usage and Trust Purposes bypass
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS
OSV
Multiple security issues in Pomerium's embedded envoy
osv·2022-03-01·CVSS 7.5
[HIGH] Multiple security issues in Pomerium's embedded envoy
Multiple security issues in Pomerium's embedded envoy
Envoy, which Pomerium is based on, has issued multiple CVEs impacting stability and security.
Though Pomerium may not be vulnerable to all of the issues, it is recommended that all users upgrade to Pomerium v0.16.4 as soon as possible to minimize risk.
### Impact
- Possible DoS or crash
- Resources available to unauthorized users
- Pomerium may trust upstream certificates that should not be trusted
### Patches
Patched in v0.16.4
### Workarounds
No
### References
[Envoy Security Announcement](https://groups.google.com/g/envoy-security-announce/c/QBGxoqZdTR4)
* [CVE-2021-43824](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vj5m-rch8-5r2p) (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer d
GHSA
Multiple security issues in Pomerium's embedded envoy
ghsa·2022-03-01·CVSS 7.5
[HIGH] Multiple security issues in Pomerium's embedded envoy
Multiple security issues in Pomerium's embedded envoy
Envoy, which Pomerium is based on, has issued multiple CVEs impacting stability and security.
Though Pomerium may not be vulnerable to all of the issues, it is recommended that all users upgrade to Pomerium v0.16.4 as soon as possible to minimize risk.
### Impact
- Possible DoS or crash
- Resources available to unauthorized users
- Pomerium may trust upstream certificates that should not be trusted
### Patches
Patched in v0.16.4
### Workarounds
No
### References
[Envoy Security Announcement](https://groups.google.com/g/envoy-security-announce/c/QBGxoqZdTR4)
* [CVE-2021-43824](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vj5m-rch8-5r2p) (CVSS Score 6.5, Medium): Envoy 1.21.0 and earlier - Potential null pointer d
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-02-22
Published