We would like to announce the availability of Envoy 1.19.1, 1.18.4, 1.17.4, and 1.16.5!
These versions contain fixes for the following CVE(s):
Upgrading to 1.19.1, 1.18.4, 1.17.4, or 1.16.5 is encouraged to fix these issues.
- CVE-2021-32777 (CVSS score 8.6, High): Envoy through 1.19.1 contains a remotely exploitable vulnerability where an HTTP request with multiple value headers may bypass authorization policies in ext_authz extension.
- CVE-2021-32779 (CVSS score 8.6, High): Envoy through 1.19.1 contains a remotely exploitable vulnerability where an HTTP request with #fragment in the URI path may bypass Envoy’s URI path based authorization policies.
- CVE-2021-32781 (CVSS score 8.6, High): Envoy through 1.19.1 contains a remotely exploitable vulnerability that affects Envoy's decompressor, json-transcoder or grpc-web extensions or proprietary extensions that modify and increase the size of request or response bodies. Modifying and increasing the size of the body in an Envoy’s extension beyond internal buffer size may lead to Envoy accessing deallocated memory and terminating abnormally.
- CVE-2021-32778 (CVSS score 8.6, High): Envoy through 1.19.1 contains a remotely exploitable vulnerability where an Envoy client opening and then resetting a large number of HTTP/2 requests may lead to excessive CPU consumption.
IMPORTANT: Due to significant divergence in affected source code between Envoy versions 1.16 and 1.17 it is not feasible to backport the fix into the 1.16 stable branch without increasing the risk of destabilizing it. As a result, operators of Envoy version 1.16 are recommended to limit the number of simultaneous HTTP/2 streams for upstream and downstream peers to a low number, i.e. 10.
- CVE-2021-32780 (CVSS score 8.6, High): Envoy 1.18 through 1.19.1 contains a remotely exploitable vulnerability where an untrusted upstream service may cause Envoy to terminate abnormally by sending the GOAWAY frame followed by the SETTINGS frame with the SETTINGS_MAX_CONCURRENT_STREAMS parameter set to 0.
Note: this vulnerability does not impact downstream client connections.
Documentation for all versions can be found at https://www.envoyproxy.io/docs.
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.19.1
Docker images: docker pull envoyproxy/envoy:v1.19.1
Release notes: https://www.envoyproxy.io/docs/envoy/v1.19.1/version_history/current
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.18.4
Docker images: docker pull envoyproxy/envoy:v1.18.4
Release notes: https://www.envoyproxy.io/docs/envoy/v1.18.4/version_history/current
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.17.4
Docker images: docker pull envoyproxy/envoy:v1.17.4
Release notes: https://www.envoyproxy.io/docs/envoy/v1.17.4/version_history/current
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.16.5
Docker images: docker pull envoyproxy/envoy:v1.16.5
Release notes: https://www.envoyproxy.io/docs/envoy/v1.16.5/version_history/current
Note the Docker images and release notes are pending to CI progress so they might not be immediately available.
Checking whether you are vulnerable:
Run `envoy --version` and if it indicates a base version matching or older than 1.19.1, 1.18.4, 1.17.4, or 1.16.5 you are running a vulnerable version.
Incorrect concatenation of multiple value request headers in ext-authz extension (CVE-2021-32777):
Incorrectly handling of URI '#fragment' element as part of the path element (CVE-2021-32779):
Continued processing of requests after locally generated response (CVE-2021-32781):
Excessive CPU utilization when closing HTTP/2 streams (CVE-2021-32778):
Incorrect handling of H/2 GOAWAY followed by SETTINGS frames (CVE-2021-32780):
Thank you to Chaoqin Li, Yangmin Zhu, Raul Gutierrez Segales and Nikolas Koutounidis for making this release happen. A lot of work happens behind the scenes!
Adi Peleg, Yan Avlasov and Lizan Zhou (on behalf of the Envoy security team and maintainers)