PT-2022-20483 · Envoy+1 · Envoy+1

Howardjohn

Published

2022-06-09

Updated

2022-06-17

CVE-2022-31045

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Istio versions prior to 1.12.8 Istio versions prior to 1.13.5 Istio versions prior to 1.14.1

Description The issue arises from ill-formed headers sent to Envoy in certain configurations, leading to unexpected memory access, which can result in undefined behavior or crashing. Users are most likely at risk if they have an Istio ingress Gateway exposed to external traffic.

Recommendations For versions prior to 1.12.8, upgrade to version 1.12.8 or later. For versions prior to 1.13.5, upgrade to version 1.13.5 or later. For versions prior to 1.14.1, upgrade to version 1.14.1 or later. As a temporary workaround, consider restricting access to the Istio ingress Gateway to minimize the risk of exploitation.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2022-31045

ECHO-4846-7CB3-2D3C

GHSA-XWX5-5C9G-X68X

RHSA-2022:5004

Affected Products

Envoy

Istio

PT-2022-20483 · Envoy+1 · Envoy+1

CVE-2022-31045

Weakness Enumeration

Related Identifiers

Affected Products

References · 16