Security release of Envoy 1.12.2 is now available

423 views
Skip to first unread message

Yan Avlasov

unread,
Dec 10, 2019, 1:23:19 PM12/10/19
to envoy-a...@googlegroups.com

Hello Envoy Community,


The Envoy security team would like to announce the availability of Envoy 1.12.2.

This addresses the following CVE(s):


  • CVE-2019-18801 (CVSS score 9.0, Critical): An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1.

  • CVE-1019-18802 (CVSS score 7.5, High): A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.

  • CVE-1019-18838 (CVSS score 7.5, High): Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.


Upgrading to 1.12.2 is encouraged to fix these issues.

In addition please see recommended configuration settings for multi level deployment of Envoy at https://www.envoyproxy.io/docs/envoy/v1.12.2/configuration/best_practices/level_two


GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.12.2

Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags

Release notes: https://www.envoyproxy.io/docs/envoy/v1.12.2/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.12.2/


**Am I vulnerable?**


Run `envoy --version` and if it indicates a base version of 1.12.1 or older you are running a vulnerable version.


Envoy deployment is vulnerable to CVE-2019-18801 if it is configured to receive HTTP/2 requests from clients that may be proxied to the HTTP/1 upstream servers.


Envoy deployment is vulnerable to CVE-1019-18802 if it is configured with access controls or routing rules based on header values.


Envoy deployment is vulnerable to CVE-1019-18838 if it is configured with a response/encoder LUA filter or vendor specific encoder filters that attempts to load the cached route during encoding.


**How do I mitigate the vulnerability?**


To mitigate CVE-2019-18801 vulnerability you can:

  • Disable HTTP/2 protocol for clients.

  • Disable HTTP/1 upstream servers.

  • Reduce header size limits to below 2KB. It might be possible to configure as high as somewhere near 4KB, but 2KB is a conservative size. The relevant configuration is HTTP connection manager’s max_request_headers_kb field.


There are no mitigations for CVE-1019-18802.


To mitigate CVE-1019-18838 vulnerability disable LUA filter or vendor specific encoder filters.


**How do I upgrade?**


Update to 1.12.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.12.2 tag or commit 75e768bc77fcf6494f8facf962dd06b8033c1187 @ master.


**Vulnerability Details**


***CVE-2019-18801***


An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1


This issue is filed as CVE-2019-18801. We have rated it as [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

(CVSS score 9.0, Critical) [See the GitHub advisory for more details](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gxvv-x4p2-rppp)


***CVE-1019-18802***


Malformed request header may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.


This issue is filed as CVE-2019-18802. We have rated it as [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

(CVSS score 7.5, High) [See the GitHub advisory for more details](https://github.com/envoyproxy/envoy/security/advisories/GHSA-356m-vhw2-wcm4)


***CVE-1019-18838***


Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.


This issue is filed as CVE-1019-18838. We have rated it as [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

(CVSS score 7.5, High) [See the GitHub advisory for more details](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f2rv-4w6x-rwhc)


**Thank you**


Thank you to Harvey Tuch at Google for discovering and fixing CVE-2019-18801, Alyssa Wilk at Google for discovering CVE-1019-18802 and fixing it and Oleg Guba at Dropbox for discovering and reporting CVE-1019-18838 and Matt Klein at Lyft for fixing it.


Thanks,


Yan Avlasov (Google) (on behalf of the Envoy security team), release coordinator for 1.12.2.


Reply all
Reply to author
Forward
0 new messages