DoS Vulnerability Allows Easy Envoy Proxy Crashes

Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn't implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a "zip bomb" — i.e., a malicious archive file designed to crash or render useless a program or system.

The vulnerability could thus be exploited by a malicious actor uploading a Brotli zip bomb to the server, resulting in acute performance issues.

"In most cases the machine's memory will not be able to handle such large amounts of data and the Envoy process will eventually crash," the JFrog blog post warned. "In most cases, before the process crashes, there will be severe performance issues due to the processor allocating a lot of resources to the decompression process."

The blog post advised users to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, which it said would completely fix the issue. However, organizations that can't make the upgrade are advised to prohibit their configuration from allowing Brotli decompression. This can be done by removing the Brotli decompressor in its entirety, or otherwise replacing it with the Gzip decompressor.

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, explains that open source technology is often susceptible to vulnerabilities that can be exploited using older attack vectors — like a zip-bomb for exhausting memory.

“The cloud serves many always-on applications, which often leads to a lack of patching,” McCarthy says. "CVE-2022-29225 highlights the importance of cloud exploitation research, as this attack surface is growing."

He adds that when responsible disclosure occurs, virtual patching becomes an excellent mitigation option for attacks in the cloud.