3 matches found
CVE-2022-21654 Incorrect configuration handling allows TLS session re-use without re-validation in Envoy
Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised...
CVE-2022-21657 X.509 Extended Key Usage and Trust Purposes bypass in Envoy
Envoy is an open source edge and service proxy, designed for cloud-native applications. In affected versions Envoy does not restrict the set of certificates it accepts from the peer, either as a TLS client or a TLS server, to only those certificates that contain the necessary extendedKeyUsage...
Consul’s Envoy TLS Configuration Did Not Validate Destination Service Subject Alternative Names
Summary A vulnerability was identified in Consul and Consul Enterprise “Consul” such that the Envoy proxy configuration for Consul Connect does not mutually verify the destination service identity. This vulnerability, CVE-2021-32574, affects Consul versions 1.3.0 up to 1.10.0, and is fixed in the...