Security release of Envoy 1.15.1, 1.14.5, 1.13.6, and 1.12.7 is now available

71 views

Skip to first unread message

Antonio Vicente

unread,

Sep 29, 2020, 7:49:04 PM9/29/20

to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers

Hello Envoy Community,

The Envoy security team would like to announce the availability of Envoy versions 1.15.1, 1.14.5, 1.13.6, and 1.12.7 .

This addresses the following CVE(s):

* CVE-2020-25017 (CVSS score 6.5, Medium): Incorrect handling of duplicate HTTP headers

Upgrading to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 is encouraged to fix this issue.

For v1.15.1:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.1

Docker images: docker pull envoyproxy/envoy:v1.15.1

Text release notes can be found here

Expect a followup email tomorrow with links to release notes and docs for 1.15.1;

For v1.14.5:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.5

Docker images: docker pull envoyproxy/envoy:v1.14.5

Release notes: https://www.envoyproxy.io/docs/envoy/v1.14.5/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.14.5/

For v1.13.6:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.13.6

Docker images: docker pull envoyproxy/envoy:v1.13.6

Release notes: https://www.envoyproxy.io/docs/envoy/v1.13.6/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.13.6/

For v1.12.7:

GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.12.7

Docker images: docker pull envoyproxy/envoy:v1.12.7

Release notes: https://www.envoyproxy.io/docs/envoy/v1.12.7/intro/version_history

Docs: https://www.envoyproxy.io/docs/envoy/v1.12.7/

Am I vulnerable?

Run `envoy --version` and if it indicates a base version of 1.15.0, 1.14.4, 1.13.4, 1.12.6 or older you are running a vulnerable version.

How do I upgrade?

Update to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 via your Envoy distribution or rebuild from the Envoy GitHub source at the 1.15.1, 1.14.5, 1.13.6, or 1.12.7 tag or HEAD @ master.

Vulnerability Details

CVE-2020-25017 Incorrect handling of duplicate HTTP headers

Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.

We rated CVE-2020-25017 as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L (8.3, High). See the GitHub advisory for more details.

Thank you

Thank you to Harvey Tuch, Mark D. Roth, Matt Klein, and Yuchen Dai for making this release happen.

Thanks,

Antonio Vicente (on behalf of the Envoy security team and maintainers)

Reply all

Reply to author

Forward

0 new messages