SB2020030913 - Multiple vulnerabilities in CNCF Envoy
Published: March 9, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-8664)
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions when using SDS with Combined Validation Context. A remote attacker can use the same secret (e.g. trusted CA) across many resources together with the combined validation context and gain unauthorized access to the affected application
2) Resource exhaustion (CVE-ID: CVE-2020-8661)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software consumes excessive amounts of memory when responding internally to pipelined requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper access control (CVE-ID: CVE-2020-8660)
The vulnerability allows a remote attacker to bypass TLS inspector.
The vulnerability exists due to the TLS extensions (SNI, ALPN) are not inspected, those connections might been matched to a wrong filter chain. A remote attacker can bypass implemented security restrictions in the process and gain unauthorized access to the application.
4) Resource exhaustion (CVE-ID: CVE-2020-8659)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software consumes excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-3x9m-pgmg-xpx8
- https://www.envoyproxy.io/docs/envoy/v1.13.1/intro/version_history
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-36cq-ww7h-p4j7
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-c4g8-7grc-5wvx
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-jwcm-4pwp-c2qv