CVE-2022-29226 Overview
CVE-2022-29226 is a critical authentication bypass vulnerability in Envoy, a cloud-native high-performance proxy. In versions prior to 1.22.1, the OAuth filter implementation does not include a mechanism for validating access tokens. By design, when the HMAC signed cookie is missing, a full authentication flow should be triggered. However, the flawed implementation assumes that access tokens are always validated, allowing unauthorized access in the presence of any access token attached to the request—regardless of its validity.
Critical Impact
This vulnerability allows attackers to bypass OAuth authentication entirely by simply providing any arbitrary access token in the Authorization header or query string, granting unauthorized access to protected resources without legitimate credentials.
Affected Products
- Envoyproxy Envoy versions prior to 1.22.1
- Any service mesh or API gateway deployment using Envoy's OAuth2 filter
- Cloud-native applications relying on Envoy for OAuth-based authentication
Discovery Timeline
- 2022-06-09 - CVE-2022-29226 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-29226
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The OAuth2 filter in Envoy was designed to protect resources by validating authentication tokens. However, the implementation contained a critical flaw in its token validation logic. The filter would accept any request containing a bearer token in the Authorization header or a token query parameter without actually validating whether the token was legitimate, properly signed, or associated with an authorized user session.
The vulnerability exists because the extractAccessToken function would extract tokens from incoming requests and the filter would treat the mere presence of a token as proof of authentication, rather than triggering the full OAuth flow when proper HMAC-signed cookies were missing.
Root Cause
The root cause lies in the OAuth2 filter's flawed assumption about access token validation. The found_bearer_token_ flag was set when any token was detected in the request, and the filter would subsequently grant access based on this flag alone. The code failed to implement actual token validation, signature verification, or checks against the OAuth provider. This design flaw meant that attackers could craft requests with arbitrary tokens to bypass authentication entirely.
Attack Vector
The attack vector is network-based with low complexity and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Sending a request to an OAuth-protected endpoint with an arbitrary bearer token in the Authorization header (e.g., Authorization: Bearer malicious_token)
- Alternatively, appending a token query parameter with any value to the request URL
- The Envoy OAuth2 filter extracts this fake token and incorrectly assumes authentication is valid
- The attacker gains unauthorized access to protected resources
The security patch addresses this by removing the extractAccessToken function and the found_bearer_token_ flag that allowed this bypass:
CONSTRUCT_ON_FIRST_USE(std::string, "bearer ");
}
-std::string OAuth2Filter::extractAccessToken(const Http::RequestHeaderMap& headers) const {
- ASSERT(headers.Path() != nullptr);
-
- // Start by looking for a bearer token in the Authorization header.
- const Http::HeaderEntry* authorization = headers.getInline(authorization_handle.handle());
- if (authorization != nullptr) {
- const auto value = StringUtil::trim(authorization->value().getStringView());
- const auto& bearer_prefix = bearerPrefix();
- if (absl::StartsWithIgnoreCase(value, bearer_prefix)) {
- const size_t start = bearer_prefix.length();
- return std::string(StringUtil::ltrim(value.substr(start)));
- }
- }
-
- // Check for the named query string parameter.
- const auto path = headers.Path()->value().getStringView();
- const auto params = Http::Utility::parseQueryString(path);
- const auto param = params.find("token");
- if (param != params.end()) {
- return param->second;
- }
-
- return EMPTY_STRING;
-}
-
/**
* primary cases:
Source: GitHub Commit
The header file also removes the vulnerable flag:
std::string new_expires_;
absl::string_view host_;
std::string state_;
- bool found_bearer_token_{false};
Http::RequestHeaderMap* request_headers_{nullptr};
std::unique_ptr<OAuth2Client> oauth_client_;
Source: GitHub Commit
Detection Methods for CVE-2022-29226
Indicators of Compromise
- Unusual access patterns to OAuth-protected endpoints from unexpected sources
- Requests containing malformed or arbitrary bearer tokens that still result in successful authentication
- Access logs showing requests with Authorization: Bearer headers that don't correspond to legitimate OAuth token issuance
- Requests with token query parameters containing random or suspicious values
Detection Strategies
- Audit Envoy proxy logs for requests to protected endpoints that bypass the expected OAuth redirect flow
- Monitor for successful access to protected resources without corresponding OAuth provider token validation events
- Implement application-level logging to track authentication state discrepancies
- Review request patterns for anomalies where tokens appear valid but lack proper OAuth session establishment
Monitoring Recommendations
- Enable detailed access logging on Envoy proxies to capture Authorization headers
- Correlate Envoy access logs with OAuth provider logs to identify authentication bypasses
- Set up alerts for access to sensitive endpoints without proper OAuth session cookies
- Monitor for unusual spikes in access to OAuth-protected resources
How to Mitigate CVE-2022-29226
Immediate Actions Required
- Upgrade Envoy to version 1.22.1 or later immediately
- Audit access logs for any signs of exploitation prior to patching
- Review all OAuth-protected endpoints to ensure proper authentication after upgrade
- Consider implementing additional application-level authentication validation as defense-in-depth
Patch Information
The vulnerability has been addressed in Envoy version 1.22.1. The fix removes the vulnerable extractAccessToken function and the found_bearer_token_ flag that allowed the authentication bypass. Users should upgrade to version 1.22.1 or later to receive the security patch. The specific commit addressing this vulnerability is available at GitHub Commit 7ffda4e809dec74449ebc330cebb9d2f4ab61360. Additional details are available in the GitHub Security Advisory GHSA-h45c-2f94-prxh.
Workarounds
- There is no known workaround for this vulnerability; upgrading is required
- Implement additional authentication layer at the application level as temporary mitigation
- Consider placing affected endpoints behind additional access controls until upgrade is complete
- Monitor and restrict access to OAuth-protected resources to known-good IP ranges if possible
# Verify Envoy version after upgrade
envoy --version
# Check for vulnerable Envoy installations in Kubernetes
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.containers[*].image}{"\n"}{end}' | grep envoy
# Review Envoy OAuth filter configuration
cat /etc/envoy/envoy.yaml | grep -A 20 "oauth2"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
