1200402 – (CVE-2022-29226) VUL-0: CVE-2022-29226: envoy-proxy: oauth filter allows trivial bypass

Bug 1200402 (CVE-2022-29226) - VUL-0: CVE-2022-29226: envoy-proxy: oauth filter allows trivial bypass

Summary: VUL-0: CVE-2022-29226: envoy-proxy: oauth filter allows trivial bypass

Status:	RESOLVED INVALID

Alias:	CVE-2022-29226

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P5 - None Severity: Major (vote)
Target Milestone:	---
Assignee:	Wolfgang Engel
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/334101/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-06-10 07:08 UTC by Carlos López
Modified:	2022-06-10 07:09 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-06-10 07:08:28 UTC

rh#2088739

The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always
validated thus allowing access in the presence of any access token attached to the request.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2088739
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29226
https://github.com/envoyproxy/envoy/commit/7ffda4e809dec74449ebc330cebb9d2f4ab61360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29226
https://github.com/envoyproxy/envoy/security/advisories/GHSA-h45c-2f94-prxh

Comment 1 Carlos López 2022-06-10 07:09:26 UTC

No OAuth filter in our openSUSE:Backports:SLE-15-SP3:Update package, so we are not affected. Closing.