What is CVE-2022-21657?

CVE-2022-21657 is a vulnerability in Envoy that allows it to accept certificates without the necessary extendedKeyUsage.

How does CVE-2022-21657 affect Envoy?

CVE-2022-21657 affects Envoy by not restricting the set of certificates it accepts from the peer to only those with the necessary extendedKeyUsage.

What is the severity of CVE-2022-21657?

CVE-2022-21657 has a severity score of 6.5 out of 10, which is considered medium.

Which versions of Envoy are affected by CVE-2022-21657?

Envoy versions up to and including 1.18.6, 1.19.0 to 1.19.3, and 1.20.0 to 1.20.2 are affected by CVE-2022-21657.

How can I fix CVE-2022-21657 in Envoy?

To fix CVE-2022-21657 in Envoy, update to a version that includes the necessary fix released by the Envoy project.

Vulnerability/
CVE-2022-21657

medium

6.8

CWE

295

22/2/2022

3/8/2024

CVE-2022-21657: X.509 Extended Key Usage and Trust Purposes bypass in Envoy

First published: Tue Feb 22 2022(Updated: )

Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. This is particularly bad when combined with the issue described in pull request #630, in that it allows a Web PKI CA that is intended only for use with S/MIME, and thus exempted from audit or supervision, to issue TLS certificates that will be accepted by Envoy. As a result Envoy will trust upstream certificates that should not be trusted. There are no known workarounds to this issue. Users are advised to upgrade.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Envoyproxy Envoy	<1.18.6
Envoyproxy Envoy	>=1.19.0<1.19.3
Envoyproxy Envoy	>=1.20.0<1.20.2

Remedy

https://github.com/envoyproxy/envoy/pull/630

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-21657?
CVE-2022-21657 is a vulnerability in Envoy that allows it to accept certificates without the necessary extendedKeyUsage.
How does CVE-2022-21657 affect Envoy?
CVE-2022-21657 affects Envoy by not restricting the set of certificates it accepts from the peer to only those with the necessary extendedKeyUsage.
What is the severity of CVE-2022-21657?
CVE-2022-21657 has a severity score of 6.5 out of 10, which is considered medium.
Which versions of Envoy are affected by CVE-2022-21657?
Envoy versions up to and including 1.18.6, 1.19.0 to 1.19.3, and 1.20.0 to 1.20.2 are affected by CVE-2022-21657.
How can I fix CVE-2022-21657 in Envoy?
To fix CVE-2022-21657 in Envoy, update to a version that includes the necessary fix released by the Envoy project.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/severity
agent/last-modified-date
agent/title
agent/remedy
agent/author
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/envoyproxy
canonical/envoyproxy envoy
version/envoyproxy envoy/1.19.0
version/envoyproxy envoy/1.20.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.