First published: Fri May 20 2022(Updated: )
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/Envoy | <1.22.1 | 1.22.1 |
redhat/Envoy | <1.21.3 | 1.21.3 |
redhat/Envoy | <1.20.4 | 1.20.4 |
redhat/Envoy | <1.19.5 | 1.19.5 |
redhat/servicemesh-proxy | <0:2.0.10-1.el8 | 0:2.0.10-1.el8 |
redhat/servicemesh-proxy | <0:2.1.3-1.el8 | 0:2.1.3-1.el8 |
Envoyproxy Envoy | <1.22.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-29225 is a vulnerability found in Envoy, a cloud-native high-performance proxy, where compressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody, potentially allowing an attacker to zip bomb the decompressor.
CVE-2022-29225 can allow an attacker to zip bomb the decompressor of Envoy by sending a small highly compressed payload, potentially causing resource exhaustion and denial of service.
The severity of CVE-2022-29225 is high, with a CVSS score of 7.5.
Versions of Envoy prior to 1.22.1 are affected by CVE-2022-29225.
To mitigate CVE-2022-29225, it is recommended to update Envoy to version 1.22.1 or later.