Re: Security release of Envoy 1.11.2 is now available
178 views
Skip to first unread message
Asra Ali
Oct 8, 2019, 1:11:10 PM10/8/19
to envoy-a...@googlegroups.com, envoy-s...@googlegroups.com, envoy-ma...@googlegroups.com
Hello Envoy Community,
The Envoy maintainers would like to announce the availability of Envoy v1.11.2.
This addresses the following CVE(s):
* CVE-2019-15225 (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Users of Envoy 1.11.1 and before may configure a route to match incoming path headers when using the libstdc++ regex implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption or abnormal process termination).
See the GitHub issue for more details (https://github.com/envoyproxy/envoy/issues/8519 )
* CVE-2019-15226 (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 and after for HTTP/1.x traffic, and all previous versions of Envoy for HTTP/2 traffic, had O(n^2) performance characteristics. A remote attacker might craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
See the GitHub issue for more details (https://github.com/envoyproxy/envoy/issues/8520)
Upgrading to v1.11.2 is encouraged to fix these issues.
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.11.2
Security fix patches:
- https://github.com/envoyproxy/envoy/commit/afc39bea36fd436e54262f150c009e8d72db5014
- https://github.com/envoyproxy/envoy/commit/5c122a35ebd7d3f7678b0f1c9846c1e282bba079
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.11.2/intro/version_history
Docs: https://www.envoyproxy.io/docs/envoy/v1.11.2/
Please reach out to us on #envoy-cve at https://envoyproxy.slack.com if you have any further questions.
**Am I vulnerable?**
Run `envoy --version` and if it indicates a base version of v1.11.1 or older you are running a vulnerable version. If you build from master and have a SHA of 9c682f815ec70da374c4c5d2e24fd7a46f868bfb or earlier, you are also running a vulnerable version.
Envoy deployment is vulnerable to the CVE-2019-15225 when regular expressions are used in routing incoming HTTP requests. Prior to version 1.11.2 a recursive implementation of regular expression matching was employed, which may consume a large amount or run out of stack memory and cause envoy process to exit abnormally, when matching long HTTP header values. Regular expressions with the ‘*’ or ‘+’ quantifiers are particularly vulnerable and may cause abnormal process termination when matching header values 16Kb or longer.
All Envoy deployment are likely vulnerable to CVE-2019-15226.
**How do I mitigate the vulnerability?**
To mitigate CVE-2019-15225 in Envoy prior to v1.11.2, regular expression matching in request routing must be disabled and other types of matching used instead. In Envoy v1.11.2 and later the “safe_regex” and “safe_regex_match” should be used for specifying regular expressions instead of “regex_match”.
To mitigate CVE-2019-15226, the maximum request header size for incoming connection can be limited through the HTTP Connection Manager in some situations. Limiting this can limit the number of request headers, and possibly mitigate excessive CPU consumption.
**How do I upgrade?**
Update to v1.11.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.11.2 tag or HEAD @ master.
**Thank you**
Thank you to Seikun Kambashi for discovering and reporting CVE-2019-15225. Thanks to Matt Klein for the CVE-2019-15225 fix. CVE-2019-15226 was discovered by Harvey Tuch and Asra Ali via a fuzz failure reported by ClusterFuzz. The 1.11.2 Envoy security release was coordinated and reviewed by Envoy security team members Matt Klein and Harvey Tuch.
Thanks,
Asra Ali (on behalf of the Envoy maintainers)
The Envoy maintainers would like to announce the availability of Envoy v1.11.2.
This addresses the following CVE(s):
* CVE-2019-15225 (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Users of Envoy 1.11.1 and before may configure a route to match incoming path headers when using the libstdc++ regex implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption or abnormal process termination).
See the GitHub issue for more details (https://github.com/envoyproxy/envoy/issues/8519 )
* CVE-2019-15226 (CVSS score 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H): Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 and after for HTTP/1.x traffic, and all previous versions of Envoy for HTTP/2 traffic, had O(n^2) performance characteristics. A remote attacker might craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
See the GitHub issue for more details (https://github.com/envoyproxy/envoy/issues/8520)
Upgrading to v1.11.2 is encouraged to fix these issues.
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.11.2
Security fix patches:
- https://github.com/envoyproxy/envoy/commit/afc39bea36fd436e54262f150c009e8d72db5014
- https://github.com/envoyproxy/envoy/commit/5c122a35ebd7d3f7678b0f1c9846c1e282bba079
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.11.2/intro/version_history
Docs: https://www.envoyproxy.io/docs/envoy/v1.11.2/
Please reach out to us on #envoy-cve at https://envoyproxy.slack.com if you have any further questions.
**Am I vulnerable?**
Run `envoy --version` and if it indicates a base version of v1.11.1 or older you are running a vulnerable version. If you build from master and have a SHA of 9c682f815ec70da374c4c5d2e24fd7a46f868bfb or earlier, you are also running a vulnerable version.
Envoy deployment is vulnerable to the CVE-2019-15225 when regular expressions are used in routing incoming HTTP requests. Prior to version 1.11.2 a recursive implementation of regular expression matching was employed, which may consume a large amount or run out of stack memory and cause envoy process to exit abnormally, when matching long HTTP header values. Regular expressions with the ‘*’ or ‘+’ quantifiers are particularly vulnerable and may cause abnormal process termination when matching header values 16Kb or longer.
All Envoy deployment are likely vulnerable to CVE-2019-15226.
**How do I mitigate the vulnerability?**
To mitigate CVE-2019-15225 in Envoy prior to v1.11.2, regular expression matching in request routing must be disabled and other types of matching used instead. In Envoy v1.11.2 and later the “safe_regex” and “safe_regex_match” should be used for specifying regular expressions instead of “regex_match”.
To mitigate CVE-2019-15226, the maximum request header size for incoming connection can be limited through the HTTP Connection Manager in some situations. Limiting this can limit the number of request headers, and possibly mitigate excessive CPU consumption.
**How do I upgrade?**
Update to v1.11.2 via your Envoy distribution or rebuild from the Envoy GitHub source at the v1.11.2 tag or HEAD @ master.
**Thank you**
Thank you to Seikun Kambashi for discovering and reporting CVE-2019-15225. Thanks to Matt Klein for the CVE-2019-15225 fix. CVE-2019-15226 was discovered by Harvey Tuch and Asra Ali via a fuzz failure reported by ClusterFuzz. The 1.11.2 Envoy security release was coordinated and reviewed by Envoy security team members Matt Klein and Harvey Tuch.
Thanks,
Asra Ali (on behalf of the Envoy maintainers)
Reply all
Reply to author
Forward
0 new messages