Hello Envoy Community,
The Envoy security team would like to announce the availability of Envoy v1.18.3, v1.17.3, v1.16.4, v1.15.5.
This addresses the following CVE(s):
CVE-2021-29492 (CVSS score 8.3, High): Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Upgrading to v1.18.3, v1.17.3, v1.16.4, v1.15.5 is encouraged to fix these issues.
GitHub tag: https://github.com/envoyproxy/envoy/releases/tag/v1.18
Docker images: https://hub.docker.com/r/envoyproxy/envoy/tags
Release notes: https://www.envoyproxy.io/docs/envoy/v1.18/version_history/current.rst
Docs: https://www.envoyproxy.io/docs/envoy/v1.18/
Run `envoy --version` and if it indicates a base version of v1.18.2, v1.17.2, v1.16.3, v1.15.4 or
older you are running a vulnerable version.
This vulnerability affects Envoy components or configuration where request URL path is used for access control. For example configuring RBAC extension to authorize URL paths with specific prefix or configuring routing table to reject requests with specific URL path.
If backend servers treat / and %2F or \ and %5C interchangeably and a URL path based matching is configured, we recommend reconfiguring the backend server to not treat / and %2F or \ and %5C interchangeably, if feasible.
Update to v1.18.3, v1.17.3, v1.16.4, v1.15.5 via your Envoy distribution or rebuild from the Envoy GitHub source at the $VERSION tag or HEAD @ master.
Envoy versions 1.18.2 and earlier does not decode escaped slash sequences %2F and %5C in HTTP URL paths. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A backend server could then decode slash sequences and normalize path which would provide an attacker access beyond the scope provided for by the access control policy.
This issue is filed as CVE-2021-29492. We have rated it as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS score 8.3 (High) See the GitHub advisory for more details.
Thank you to Ruilin Yang (ruili...@gmail.com) for discovery and Yan Avlasov for fixing, Antonio Vicente for reviewing and Lizan Zhou for assisting with the release.
Thanks,
Yan Avlasov (on behalf of the Envoy security team and maintainers)