Cloud Security, Vulnerability Management

Patches issued for denial-of-service vulnerability found in cloud-native Envoy proxy

Pictured: A computer keyboard is seen in this cropped image with Javascript in the background. (“Coding Javascript” by Christiaan Colen is marked with CC BY-SA 2.0.)

Researchers on Thursday found a denial-of-service (DoS) vulnerability in Envoy Proxy, a widely-used open-source edge and service proxy server designed for cloud-native applications and high-traffic websites.

The DoS vulnerability — CVE-2022-29225 — was explained in a blog by JFrog Security Research.

According to the JFrog researchers, the DoS vulnerability lets attackers crash the proxy server, leading to performance degradation and the unavailability of resources handled by the proxy.

Envoy said for the best fix, security teams should upgrade to Envoy versions 1.19.5, 1.20.4, 1.21.3, and 1.22.1, which completely fixes the issue.

Open-source technology often becomes susceptible to vulnerabilities that threat actors can exploit using older attack vectors — like a Zip-Bomb exhausting memory, said Davis McCarthy, principal security researcher at Valtix. McCarthy said the cloud serves many always-on applications, which often leads to a lack of patching.

“CVE-2022-29225 highlights the importance of cloud exploitation research as this attack surface is growing,” McCarthy said. “When responsible disclosure occurs, virtual-patching becomes an excellent mitigation for attacks in the cloud.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.