CVE-2022-29224 is a medium-severity vulnerability affecting versions of Envoy proxy prior to 1.22.1. Envoy is a widely used cloud-native high-performance proxy that supports various upstream health checking mechanisms, including gRPC-based health checks. The vulnerability arises from a NULL pointer dereference in the GrpcHealthCheckerImpl component. Specifically, Envoy has a feature that allows it to “hold” upstream hosts obtained via service discovery, preventing their removal until active health checks fail. An attacker who controls an upstream host and the associated service discovery mechanism (such as DNS or Endpoint Discovery Service API) can exploit this by forcing the removal of the host from service discovery and then causing the gRPC health check to fail. This sequence triggers a null pointer dereference, resulting in a segmentation fault that crashes the Envoy process. The crash leads to a denial of service (DoS) condition for the proxy, potentially disrupting traffic routing and service availability. The vulnerability does not require authentication but does require the attacker to control upstream hosts and service discovery data, which may limit exploitation scope. No known exploits are reported in the wild, and the vendor recommends upgrading to version 1.22.1 or later to remediate the issue. For users unable to upgrade promptly, disabling gRPC health checking or switching to alternative health check types can mitigate the risk.

The primary impact of this vulnerability is denial of service due to Envoy process crashes. For European organizations relying on Envoy as a critical component in their cloud-native infrastructure, microservices architecture, or service mesh deployments, exploitation could disrupt service availability and degrade operational continuity. This is particularly significant for sectors with high availability requirements such as finance, telecommunications, healthcare, and government services. The crash could interrupt traffic routing, load balancing, and health monitoring, potentially causing cascading failures in dependent services. While the vulnerability does not directly expose data confidentiality or integrity, the availability impact can indirectly affect business operations and service-level agreements (SLAs). Given that exploitation requires control over upstream hosts and service discovery, the threat is more relevant in environments where service discovery is externally influenced or less tightly controlled. The absence of known exploits suggests limited active threat but does not preclude targeted attacks, especially in high-value environments.

1. Upgrade Envoy to version 1.22.1 or later, which contains the fix for this vulnerability. 2. If immediate upgrade is not feasible, disable gRPC health checking in Envoy configurations and replace it with alternative health check mechanisms such as HTTP or TCP health checks. 3. Harden service discovery mechanisms to prevent unauthorized manipulation of upstream host information, including securing DNS and EDS APIs with strict access controls and authentication. 4. Implement monitoring and alerting for Envoy crashes or abnormal health check failures to detect potential exploitation attempts early. 5. Conduct regular audits of upstream host configurations and service discovery data to ensure integrity and prevent malicious modifications. 6. Employ network segmentation and zero-trust principles to limit attacker ability to control upstream hosts or service discovery components. 7. Test failover and recovery procedures to minimize downtime in case of Envoy crashes.