CVE-2022-21657

Name of the Vulnerable Software and Affected Versions Envoy (affected versions not specified)

Description The issue concerns Envoy, an open source edge and service proxy designed for cloud-native applications. In affected versions, Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage (id-kp-serverAuth and id-kp-clientAuth, respectively). This means that a peer may present an e-mail certificate (e.g. id-kp-emailProtection), either as a leaf certificate or as a CA in the chain, and it will be accepted for TLS. As a result, Envoy will trust upstream certificates that should not be trusted.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.