Researchers on Thursday found a denial-of-service (DoS) vulnerability in Envoy Proxy, a widely-used open-source edge and service proxy server designed for cloud-native applications and high-traffic websites.
The DoS vulnerability — CVE-2022-29225 — was explained in a blog by JFrog Security Research.
According to the JFrog researchers, the DoS vulnerability lets attackers crash the proxy server, leading to performance degradation and the unavailability of resources handled by the proxy.
Envoy said for the best fix, security teams should upgrade to Envoy versions 1.19.5, 1.20.4, 1.21.3, and 1.22.1, which completely fixes the issue.
Open-source technology often becomes susceptible to vulnerabilities that threat actors can exploit using older attack vectors — like a Zip-Bomb exhausting memory, said Davis McCarthy, principal security researcher at Valtix. McCarthy said the cloud serves many always-on applications, which often leads to a lack of patching.
“CVE-2022-29225 highlights the importance of cloud exploitation research as this attack surface is growing,” McCarthy said. “When responsible disclosure occurs, virtual-patching becomes an excellent mitigation for attacks in the cloud.”