Login Sign Up

CVE-2022-21655

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Envoy proxy causes a segmentation fault when internal redirects select routes configured with direct response or redirect actions, leading to denial of service. It affects Envoy deployments using these specific route configurations. The crash can be triggered by malicious traffic.

💻 Affected Systems

Products:
  • Envoy Proxy
Versions: All versions before 1.21.2, 1.20.3, 1.19.4, 1.18.6
Operating Systems: All platforms running Envoy
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when both internal redirects are enabled AND routes with direct response or redirect actions are configured on the same listener.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of Envoy proxy, disrupting all traffic routing through the affected instance.

🟠

Likely Case

Intermittent crashes causing service disruption and potential cascading failures in load-balanced environments.

🟢

If Mitigated

No impact if internal redirects are disabled or vulnerable configurations are avoided.

🌐 Internet-Facing: HIGH - Internet-facing Envoy instances can be targeted by unauthenticated attackers to cause DoS.
🏢 Internal Only: MEDIUM - Internal attackers or misconfigured traffic could still trigger the crash.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending traffic that triggers internal redirects to vulnerable routes. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.2, 1.20.3, 1.19.4, 1.18.6 or later

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-7r5p-7fmh-jxpg

Restart Required: Yes

Instructions:

1. Update Envoy to patched version. 2. Restart Envoy service. 3. Verify configuration compatibility with new version.

🔧 Temporary Workarounds

Disable internal redirects

all

Turn off internal redirects if direct response entries are configured on the same listener

Modify Envoy configuration to set 'internal_redirect_action: PASS_THROUGH_INTERNAL_REDIRECT' or remove internal redirect configurations

🧯 If You Can't Patch

  • Apply the workaround to disable internal redirects in vulnerable configurations
  • Implement network controls to limit traffic that could trigger internal redirects

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and configuration for internal redirects with direct response/redirect routes on same listener

Check Version:

envoy --version

Verify Fix Applied:

Verify Envoy version is 1.21.2, 1.20.3, 1.19.4, 1.18.6 or later and monitor for crashes

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault logs
  • Envoy crash/restart events
  • Error logs mentioning internal redirect failures

Network Indicators:

  • Sudden drop in traffic through Envoy
  • Increased 5xx errors from upstream services

SIEM Query:

source="envoy" AND ("segmentation fault" OR "SIGSEGV" OR "crash" OR "panic")

📊 Metadata

CVE ID: CVE-2022-21655
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-670
Published: February 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21655, you might also want to check these:

CVE-2020-1914 9.8

A logic vulnerability in Facebook Hermes JavaScript engine allows attackers to potentially read out ...

Same vulnerability type (CWE-670)
CVE-2025-43359 9.8

This CVE describes a UDP socket binding vulnerability in Apple operating systems where a UDP server ...

Same vulnerability type (CWE-670)
CVE-2025-29312 9.1

This vulnerability in ONOS (Open Network Operating System) v2.7.0 allows attackers to trigger unexpe...

Same vulnerability type (CWE-670)