CVE-2022-21656: 
NixOS vulnerability analysis and mitigation

CVE-2022-21656 is a certificate authentication bypass vulnerability discovered in Envoy proxy that affects versions 1.20.1 and earlier. The vulnerability was disclosed on February 22, 2022, and was patched in version 1.20.2. The issue allows malformed certificates issued by a malicious Certificate Authority (CA) to be accepted as valid for a host due to improper Subject Alternative Name (SAN) type validation (GitHub Advisory).

The vulnerability stems from the API for matching Subject Alternative Names in X.509 certificates not considering the Subject Alternative Name type during validation. This oversight allows a malicious CA to issue malformed certificates by encoding data in incorrect SAN types (e.g., encoding a DNS hostname within an rfc822Name SAN or an email address within a uniformResourceIndicator SAN). Such malformed certificates could successfully match against configured names, potentially bypassing nameConstraints that restrict which DNS hostnames or email addresses a CA may issue for. The vulnerability has been assigned a CVSS v3.1 score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability could enable monster-in-the-middle attacks for Envoy users that rely on the X.509 nameConstraints extension to restrict CA capabilities. This particularly affects users of common, commercially-available CAs that use nameConstraints to technically constrain subordinate CAs. Organizations using enterprise-managed CAs without nameConstraints restrictions may be less impacted, as they already fully trust their CAs (GitHub Advisory).

The vulnerability was patched in Envoy version 1.20.2. Users must replace all usage of 'matchsubjectaltnames' with 'matchtypedsubjectalt_names' to ensure proper validation of Subject Alternative Name types and nameConstraints. No workarounds are available for unpatched versions (GitHub Advisory).