{ "threat_severity" : "Important", "public_date" : "2022-06-09T14:00:00Z", "bugzilla" : { "description" : "envoy: Decompressors can be zip bombed", "id" : "2088737", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2088737" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-409", "details" : [ "Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 secompressors accumulate decompressed data into an intermediate buffer before overwriting the body in the decode/encodeBody. This may allow an attacker to zip bomb the decompressor by sending a small highly compressed payload. Maliciously constructed zip files may exhaust system memory and cause a denial of service. Users are advised to upgrade. Users unable to upgrade may consider disabling decompression.", "A flaw was found in Envoy. A specifically constructed HTTP body delivered by an untrusted downstream or upstream peer whose decompressed size is dramatically larger than the compressed size can be sent by an attacker to cause a denial of service." ], "acknowledgement" : "Red Hat would like to thank the Envoy security team for reporting this issue.", "affected_release" : [ { "product_name" : "OpenShift Service Mesh 2.0", "release_date" : "2022-06-13T00:00:00Z", "advisory" : "RHSA-2022:5003", "cpe" : "cpe:/a:redhat:service_mesh:2.0::el8", "package" : "servicemesh-proxy-0:2.0.10-1.el8" }, { "product_name" : "OpenShift Service Mesh 2.1", "release_date" : "2022-06-13T00:00:00Z", "advisory" : "RHSA-2022:5004", "cpe" : "cpe:/a:redhat:service_mesh:2.1::el8", "package" : "servicemesh-proxy-0:2.1.3-1.el8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-29225\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29225\nhttps://github.com/envoyproxy/envoy/security/advisories/GHSA-75hv-2jjj-89hh" ], "name" : "CVE-2022-29225", "mitigation" : { "value" : "This can be mitigated by disabling decompression in Envoy.", "lang" : "en:us" }, "csaw" : false }