Vulnerability CVE-2022-21657

Vulnerability Name:

CVE-2022-21657 (CCN-220181)

Assigned:

2021-11-16

Published:

2022-02-22

Updated:

2022-03-07

Summary:

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

3.1 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
2.7 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-295

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-21657

Source: XF
Type: UNKNOWN
envoy-cve202221657-sec-bypass(220181)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/envoyproxy/envoy/pull/630

Source: CCN
Type: Envoy GIT Repository
X.509 Extended Key Usage and Trust Purposes bypass

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-837m-wjrv-vm5g

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2022-21657

Vulnerable Configuration:

Configuration 1:

cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version < 1.18.6)

OR cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version >= 1.19.0 and < 1.19.3)

OR cpe:/a:envoyproxy:envoy:*:*:*:*:*:*:*:* (Version >= 1.20.0 and < 1.20.2)

Denotes that component is vulnerable

BACK