CVE-2022-29227

Name of the Vulnerable Software and Affected Versions Envoy versions prior to 1.22.1

Description The issue is related to a lifetime bug that can be triggered when Envoy attempts to send an internal redirect of an HTTP request consisting of more than HTTP headers. If Envoy sends a local reply when the redirect headers are processed, the downstream state indicates that the downstream stream is not complete, leading to a use-after-free error when Envoy attempts to reset the upstream stream.

Recommendations For versions prior to 1.22.1, upgrade to version 1.22.1 or later to resolve the issue. If upgrading is not possible, disable internal redirects to minimize the risk of crashes.