CVE-2022-21655 is a medium-severity vulnerability affecting Envoy, an open-source edge and service proxy widely used in cloud-native application environments. The vulnerability arises from an always-incorrect control flow implementation (CWE-670) in Envoy's common router component. Specifically, when an internal redirect attempts to select a route configured with direct response or redirect actions, the router encounters a segmentation fault (segfault), causing the Envoy process to crash. This behavior leads to a denial of service (DoS) condition, disrupting the availability of services relying on Envoy for routing and proxying. The issue affects multiple versions of Envoy: all versions prior to 1.18.6, versions from 1.19.0 up to but not including 1.19.3, versions from 1.20.0 up to but not including 1.20.2, and versions from 1.21.0 up to but not including 1.21.1. The root cause is a flawed control flow logic that does not correctly handle the combination of internal redirects with routes configured for direct response or redirect actions, leading to an invalid memory access and crash. No known exploits have been reported in the wild as of the published date (February 22, 2022). The recommended workaround is to disable internal redirects on listeners that have direct response entries configured, mitigating the risk until a patched version is deployed. This vulnerability impacts the availability of services but does not directly compromise confidentiality or integrity. Since Envoy is a critical component in many microservices architectures and cloud-native deployments, this DoS can cause significant service disruption if exploited or triggered unintentionally.

For European organizations, the impact of CVE-2022-21655 primarily concerns service availability. Envoy is commonly deployed as a service mesh proxy or edge proxy in cloud-native environments, including Kubernetes clusters, which are widely adopted across Europe in sectors such as finance, telecommunications, healthcare, and government. A successful exploitation or accidental triggering of this vulnerability could cause Envoy to crash, resulting in denial of service for critical applications and services. This can lead to operational downtime, degraded user experience, and potential financial losses. Although no data breach or integrity compromise is directly associated with this vulnerability, the disruption of service availability can have cascading effects, especially for organizations relying on real-time data processing or customer-facing applications. Additionally, organizations with strict service-level agreements (SLAs) or regulatory requirements around uptime and availability (e.g., financial institutions under PSD2 or healthcare providers under GDPR mandates) may face compliance risks or penalties if service disruptions occur. The lack of known exploits reduces immediate risk, but the vulnerability's presence in multiple Envoy versions means many deployments remain exposed if not patched or mitigated.

1. Upgrade Envoy to a fixed version: Organizations should prioritize upgrading to Envoy versions 1.18.6 or later, 1.19.3 or later, 1.20.2 or later, or 1.21.1 or later, where this vulnerability is addressed. 2. Disable internal redirects on listeners with direct response or redirect routes: As an immediate workaround, configure Envoy listeners to turn off internal redirects if direct response entries are present. This prevents the vulnerable code path from being triggered. 3. Audit Envoy configurations: Review routing configurations to identify any use of internal redirects combined with direct response or redirect actions, and adjust them accordingly. 4. Implement robust monitoring and alerting: Deploy monitoring to detect Envoy process crashes or restarts, enabling rapid response to potential DoS events. 5. Test updates in staging environments: Before production deployment, validate the upgrade and configuration changes to ensure stability and compatibility. 6. Harden deployment environments: Use container orchestration features (e.g., Kubernetes PodDisruptionBudgets, readiness/liveness probes) to minimize service impact during Envoy restarts. 7. Maintain up-to-date inventories: Track Envoy versions and configurations across all environments to ensure timely patching and mitigation.