content/en/news/security/istio-security-2022-005/index.md
{{< security_bulletin >}}
These Envoy CVEs do not directly impact Istio features, but we will still include them in the patch releases for 1.12.8, 1.13.5 and 1.14.1.
CVE-2022-29225 (CVSS score 7.5, High): Decompressors can be zip bombed
Decompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload.
CVE-2022-29224 (CVSS score 5.9, Medium): Segfault in GrpcHealthCheckerImpl
An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
CVE-2022-29226 (CVSS score 10.0, Critical): OAuth filter allows trivial bypass The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
CVE-2022-29228 (CVSS score 7.5, High): OAuth filter calls continueDecoding() from within decodeHeaders()
The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
CVE-2022-29227 (CVSS score 7.5, High): Internal redirect crash for requests with body/trailers Envoy internal redirects for requests with bodies or trailers are not safe if the redirect prompts an Envoy-generated local reply.
You are at most risk if you you have an Istio ingress Gateway exposed to external traffic.
We would like to thank Otto van der Schaaf of Red Hat for the report.