CVE-2022-29226 – This vulnerability in Envoy's OAuth filter allo... (How to Fix)

Q: What is the severity of CVE-2022-29226?

CVE-2022-29226 has a CVSS score of 10.0 (CRITICAL). This vulnerability in Envoy's OAuth filter allows attackers to bypass authentication by providing any access token, even invalid ones. It affects all Envoy deployments using the OAuth filter in versions before 1.22.1. The flaw occurs because the implementation incorrectly assumes access tokens are always validated.

📋 TL;DR

This vulnerability in Envoy's OAuth filter allows attackers to bypass authentication by providing any access token, even invalid ones. It affects all Envoy deployments using the OAuth filter in versions before 1.22.1. The flaw occurs because the implementation incorrectly assumes access tokens are always validated.

💻 Affected Systems

Products:

Envoy Proxy

Versions: All versions prior to 1.22.1

Operating Systems: All platforms running Envoy

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the OAuth filter is enabled and configured. The vulnerability is in the filter implementation itself.

📦 What is this software?

Envoy by Envoyproxy

View all CVEs affecting Envoy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unauthorized access to protected resources and services behind Envoy proxy, potentially leading to data breaches, privilege escalation, and full system compromise.

🟠

Likely Case

Unauthenticated attackers gaining access to protected APIs and services that rely on Envoy's OAuth filter for authentication.

🟢

If Mitigated

No impact if the OAuth filter is not enabled or if proper network segmentation and additional authentication layers exist.

🌐 Internet-Facing: HIGH - Internet-facing Envoy instances with OAuth filter enabled are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal Envoy instances are equally vulnerable if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending any access token parameter to Envoy with OAuth filter enabled. No special tools or complex techniques needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.22.1 and later

Vendor Advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh

Restart Required: Yes

Instructions:

1. Upgrade Envoy to version 1.22.1 or later. 2. Update configuration if needed. 3. Restart Envoy service. 4. Verify the fix by testing authentication flow.

🔧 Temporary Workarounds

Disable OAuth Filter

all

Temporarily disable the OAuth filter if not essential for operations

# Edit Envoy configuration to remove or comment out OAuth filter configuration
# Restart Envoy after configuration change

🧯 If You Can't Patch

Implement additional authentication layer (e.g., API gateway, WAF) in front of Envoy
Apply strict network segmentation to limit access to Envoy instances

🔍 How to Verify

Check if Vulnerable:

Check Envoy version and OAuth filter configuration. If version < 1.22.1 and OAuth filter is enabled, the system is vulnerable.

Check Version:

envoy --version

Verify Fix Applied:

After upgrading to 1.22.1+, test that invalid access tokens are properly rejected and full OAuth flow is triggered when HMAC cookie is missing.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts with access tokens
OAuth filter authentication bypass logs
Unexpected successful authentications

Network Indicators:

HTTP requests with access token parameters to protected endpoints
Traffic patterns showing authentication bypass

SIEM Query:

source="envoy" AND ("oauth" OR "access_token") AND status="200" AND auth="bypass"

📊 Metadata

CVE ID: CVE-2022-29226

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-306

Published: June 9, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 Patch,Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh Third Party Advisory
https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360 Patch,Third Party Advisory
https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29226, you might also want to check these: