Hello Envoy Community,
The Envoy security team would like to announce the availability of v1.15.0, v1.14.4, v1.13.4, and v1.12.6.
This release addresses a defect in how Envoy validates TLS certificates (CVE-2020-15104). This issue has a CVSS score of 6.6 (Medium) (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C).
ImpactWhen validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.
example.com, Envoy would incorrectly allow
nested.subdomain.example.com, when it should only allow
subdomain.example.com.
This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections.
This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust
api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.
example.com or *.com.
Configurations are vulnerable if they use
verify_subject_alt_name in any Envoy version, or if they use
match_subject_alt_names in version 1.14 or later.
FixThis issue has been fixed in Envoy versions 1.15.0, 1.14.4, 1.13.4, 1.12.6.
The commit fixing it is
7a1f2bca8c6eed217f1e914695ea29985b3f860f, which is included in 1.15.0. The issue was disclosed publicly immediately before the 1.15.0 release, which is why a security fix is included with a regularly scheduled release.