Headline
CVE-2022-29225
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.
Attack type
Remote, dataplane
Impact
Denial of Service
Affected component(s)
All decompressor filters
Attack vector(s)
A specifically constructed HTTP body delivered by an untrusted downstream or upstream peer whose decompressed size is dramatically larger than the compressed size…
Discoverer(s)/Credits
Shachar Menasheshacharm@jfrog.com
Description (brief; included in CVE)
Decompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload.
Example exploit or proof-of-concept
Example bomb: https://raw.githubusercontent.com/bones-codes/bombs/master/http/br.zip.bz2
repro command 'curl -v http://10.0.0.1:10000/ -H "Content-Encoding: br" -H "Expect:" --data-binary @/mnt/c/temp/10GB.html.br`
config:
static_resources: 
listeners: 
- address: 
socket_address: 
address: 0.0.0.0 
port_value: 10000 
filter_chains: 
- filters: 
- name: envoy.filters.network.http_connection_manager 
typed_config: 
"@type": 
type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnection Manager 
path_with_escaped_slashes_action: UNESCAPE_AND_FORWARD 
merge_slashes: true 
codec_type: AUTO 
strip_trailing_host_dot: true 
strip_any_host_port: true 
stat_prefix: ingress_http 
route_config: 
name: local_route 
virtual_hosts: 
- name: app 
domains: 
- "*" 
routes: 
- match: 
prefix: "/" 
route: 
cluster: service-http 
http_filters: 
- name: decompressor 
typed_config: 
"@type": 
type.googleapis.com/envoy.extensions.filters.http.decompressor.v3.Decompressor decompressor_library: 
name: basic 
typed_config: 
"@type": 
type.googleapis.com/envoy.extensions.compression.brotli.decompressor.v3.Brotli - name: envoy.filters.http.router 
clusters:
- name: service-http 
type: STRICT_DNS 
lb_policy: ROUND_ROBIN 
load_assignment: 
cluster_name: service-http 
endpoints: 
- lb_endpoints: 
- endpoint: 
address: 
socket_address: 
address: 127.0.0.1 
port_value: 4567 
- lb_endpoints: 
- endpoint: 
address: 
socket_address: 
address: 127.0.0.1 
port_value: 4568 
Description (full; not included in CVE but will be published on GitHub later and linked)
Mitigation
Disable decompression
Related news
gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/ Three vectors were found that allow the following DOS attacks: - Unbounded memory buffering in the HPACK parser - Unbounded CPU consumption in the HPACK parser The unbounded CPU consumption is down to a copy that occurred per-input-block in the parser, and because that could be unbounded due to the memory copy bug we end up with an O(n^2) parsing loop, with n selected by the client. The unbounded memory buffering bugs: - The header size limit check was behind the string reading code, so we needed to first buffer up to a 4 gigabyte string before rejecting it as longer than 8 or 16kb. - HPACK varints have an encoding quirk whereby an infinite number of 0’s can be added at the start of an integer. gRPC’s hpack parser needed to read all of them before concluding a parse. - gRPC’s metadata overflow check was performed per frame, so ...
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
Red Hat Security Advisory 2022-5004-01 - Red Hat OpenShift Service Mesh is a Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5003-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release.
Red Hat Security Advisory 2022-5006-01 - Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the release. Issues addressed include a traversal vulnerability.
The DoS vulnerability allows an attacker to create a Brotli "zip bomb," resulting in acute performance issues on Envoy proxy servers.
Red Hat OpenShift Service Mesh 2.1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1650: eventsource: Exposure of Sensitive Information * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-24785: Moment.js: Path traversal in moment.locale * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar
Red Hat OpenShift Service Mesh 2.1.3 has been released. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23772: golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString * CVE-2022-23773: golang: cmd/go: misinterpretation of branch names can lead to incorrect access control * CVE-2022-23806: golang: crypto/elliptic IsOnCurve returns true for invalid field elements * CVE-2022-29224: envoy: Segfault in GrpcHealthCheckerImpl * CVE-2022...
An update is now available for Red Hat OpenShift Service Mesh 2.0.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-29224: envoy: Segfault in GrpcHealthCheckerImpl * CVE-2022-29225: envoy: Decompressors can be zip bombed