CVE-2022-29225 – Envoy proxy versions before 1.22.1 have a decom... (How to Fix)

Q: What is the severity of CVE-2022-29225?

CVE-2022-29225 has a CVSS score of 7.5 (HIGH). Envoy proxy versions before 1.22.1 have a decompression vulnerability where attackers can send small, highly compressed payloads that expand to consume excessive memory. This zip bomb attack can cause denial of service by exhausting system resources. Any Envoy deployment using compression features is affected.

📋 TL;DR

Envoy proxy versions before 1.22.1 have a decompression vulnerability where attackers can send small, highly compressed payloads that expand to consume excessive memory. This zip bomb attack can cause denial of service by exhausting system resources. Any Envoy deployment using compression features is affected.

💻 Affected Systems

Products:

Envoy Proxy

Versions: All versions prior to 1.22.1

Operating Systems: All platforms running Envoy

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with compression/decompression enabled. Default compression settings may be vulnerable.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system memory exhaustion leading to service outage, potential cascading failures in dependent services, and extended downtime.

🟠

Likely Case

Intermittent service degradation or crashes affecting availability, requiring manual intervention to restart services.

🟢

If Mitigated

Minimal impact with proper memory limits and monitoring; potential performance degradation but no outage.

🌐 Internet-Facing: HIGH - Internet-facing Envoy instances are directly exposed to malicious payloads from untrusted sources.

🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted compressed payloads; no authentication needed if compression endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.1 and later

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh

Restart Required: Yes

Instructions:

1. Update Envoy to version 1.22.1 or later. 2. Replace existing Envoy binary with patched version. 3. Restart Envoy service. 4. Verify version with 'envoy --version'.

🔧 Temporary Workarounds

Disable Compression

all

Disable decompression features in Envoy configuration to prevent exploitation.

Modify Envoy configuration to remove or disable compressors/decompressors in http_filters

Implement Memory Limits

linux

Configure resource limits to prevent memory exhaustion.

Set memory limits in container runtime (e.g., Docker --memory flag) or systemd configuration

🧯 If You Can't Patch

Disable compression/decompression features in Envoy configuration immediately
Implement strict network filtering to block suspicious compressed payloads at perimeter

🔍 How to Verify

Check if Vulnerable:

Check Envoy version with 'envoy --version' and compare to affected range (<1.22.1). Review configuration for compression filters.

Check Version:

envoy --version

Verify Fix Applied:

Confirm version is 1.22.1 or later with 'envoy --version'. Test compression functionality works without memory spikes.

📡 Detection & Monitoring

Log Indicators:

Unusual memory usage spikes in Envoy logs
Process termination due to out-of-memory errors
High decompression time in access logs

Network Indicators:

Small compressed payloads followed by high memory consumption
Repeated compression requests from single sources

SIEM Query:

source="envoy" AND ("out of memory" OR "memory limit" OR "decompression failed")

📊 Metadata

CVE ID: CVE-2022-29225

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: June 9, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343 Patch,Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh Exploit,Third Party Advisory
https://github.com/envoyproxy/envoy/commit/cb4ef0b09200c720dfdb07e097092dd105450343 Patch,Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29225, you might also want to check these: