Security release of Envoy v1.18.3, v1.17.3, v1.16.4, v1.15.5 is now available

167 views
Skip to first unread message

Yan Avlasov

unread,
May 11, 2021, 3:28:38 PM5/11/21
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers

Hello Envoy Community,


The Envoy security team would like to announce the availability of Envoy v1.18.3, v1.17.3, v1.16.4, v1.15.5.

This addresses the following CVE(s):



Upgrading to v1.18.3, v1.17.3, v1.16.4, v1.15.5 is encouraged to fix these issues.


GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.18

Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags

Release notes: https://www.envoyproxy.io/docs/envoy/v1.18/version_history/current.rst

Docs: https://www.envoyproxy.io/docs/envoy/v1.18/

Am I vulnerable?

Run `envoy --version` and if it indicates a base version of v1.18.2, v1.17.2, v1.16.3, v1.15.4 or

older you are running a vulnerable version.


This vulnerability affects Envoy components or configuration where request URL path is used for access control. For example configuring RBAC extension to authorize URL paths with specific prefix or configuring routing table to reject requests with specific URL path.

How do I mitigate the vulnerability?

If backend servers treat / and %2F or \ and %5C interchangeably and a URL path based matching is configured, we recommend reconfiguring the backend server to not treat / and %2F or \ and %5C interchangeably, if feasible.

How do I upgrade?

Update to v1.18.3, v1.17.3, v1.16.4, v1.15.5 via your Envoy distribution or rebuild from the Envoy GitHub source at the $VERSION tag or HEAD @ master.

Vulnerability Details

CVE-2021-29492


Envoy versions 1.18.2 and earlier does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path which would provide an attacker access beyond the scope provided for by the access control policy.


This issue is filed as CVE-2021-29492. We have rated it as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS score 8.3 (High) See the GitHub advisory for more details.

Thank you

Thank you to Ruilin Yang (ruili...@gmail.com) for discovery and Yan Avlasov for fixing, Antonio Vicente for reviewing and Lizan Zhou for assisting with the release.


Thanks,

Yan Avlasov (on behalf of the Envoy security team and maintainers)


Reply all
Reply to author
Forward
0 new messages