First published: Fri Feb 04 2022(Updated: )
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/envoy | <1.18.6 | 1.18.6 |
redhat/envoy | <1.19.3 | 1.19.3 |
redhat/envoy | <1.20.2 | 1.20.2 |
redhat/envoy | <1.21.1 | 1.21.1 |
redhat/servicemesh-proxy | <0:2.0.9-3.el8 | 0:2.0.9-3.el8 |
redhat/servicemesh-proxy | <0:2.1.2-4.el8 | 0:2.1.2-4.el8 |
Envoyproxy Envoy | >=1.7.0<1.18.6 | |
Envoyproxy Envoy | >=1.19.0<1.19.3 | |
Envoyproxy Envoy | >=1.20.0<1.20.2 | |
Envoyproxy Envoy | >=1.21.0<1.21.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-21654 is a critical vulnerability found in Envoy, an open source edge and service proxy.
CVE-2022-21654 has a severity rating of 9.4 (critical).
The affected software for CVE-2022-21654 includes Envoy versions 1.18.6, 1.19.3, 1.20.2, 1.21.1, and servicemesh-proxy versions 0:2.0.9-3.el8, 0:2.1.2-4.el8.
To fix CVE-2022-21654, ensure that you are using the following versions: Envoy 1.18.6, 1.19.3, 1.20.2, 1.21.1, or servicemesh-proxy 0:2.0.9-3.el8, 0:2.1.2-4.el8.
You can find more information about CVE-2022-21654 on the Red Hat Security Advisory website.