Security release of Envoy 1.13.1, 1.12.3 is now available
38 views
Skip to first unread message
Lizan Zhou
Mar 3, 2020, 1:02:07 PM3/3/20
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers
Hello Envoy Community,
The Envoy security team would like to announce the availability of Envoy 1.13.1 and 1.12.3.
This addresses the following CVE(s):
The Envoy security team would like to announce the availability of Envoy 1.13.1 and 1.12.3.
This addresses the following CVE(s):
* CVE-2020-8659 (CVSS score 7.5, High): Excessive CPU and/or memory usage when proxying HTTP/1.1
* CVE-2020-8661 (CVSS score 7.5, High): Response flooding for HTTP/1.1
* CVE-2020-8664 (CVSS score 5.3, Medium): Incorrect Access Control when using SDS with Combined Validation Context
* CVE-2020-8660 (CVSS score 5.3, Medium): TLS inspector bypass
Upgrading to 1.13.1 or 1.12.3 is encouraged to fix these issues.
Am I vulnerable?
Run `envoy --version` and if it indicates a base version of 1.12.2, 1.13.0 or older you are running a vulnerable version.
Run `envoy --version` and if it indicates a base version of 1.12.2, 1.13.0 or older you are running a vulnerable version.
How do I upgrade?
Update to 1.13.1 or 1.12.3 via your Envoy distribution or rebuild from the Envoy GitHub
source at the 1.13.1 or 1.12.3 tag or 5b1723ff54b1a51e104c514ee6363234aaa44366 @ master.
Update to 1.13.1 or 1.12.3 via your Envoy distribution or rebuild from the Envoy GitHub
source at the 1.13.1 or 1.12.3 tag or 5b1723ff54b1a51e104c514ee6363234aaa44366 @ master.
CVE-2020-8659
Envoy version 1.13.0 or earlier may consume excessive amounts of memory when proxying HTTP/1.1 requests or responses with many small (i.e. 1 byte) chunks.
CVE-2020-8661
Envoy version 1.13.0 or earlier may consume excessive amounts of memory when responding internally to pipelined requests.
CVE-2020-8664
Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
Using the same secret (e.g. trusted CA) across many resources together with the combined validation context could lead to the “static” part of the validation context to be not applied, even though it was visible in the active config dump.
CVE-2020-8660
TLS inspector could have been bypassed (not recognized as a TLS client) by a client using only TLS 1.3. Because TLS extensions (SNI, ALPN) were not inspected, those connections might have been matched to a wrong filter chain, possibly bypassing some security restrictions in the process.
Thank you to Wenlei (Frank) He at Google for discovering CVE-2020-8659, Alyssa Wilk at Google for discovering and fixing CVE-2020-8661, Andon Andonov at Microsoft, Ryan Michela at Salesforce, Scott Beardsley at Pinterest and Jasper Misset at Visma Connect for discovering CVE-2020-8664, Alexey (turbotankist) for discovering CVE-2020-8660 and Asra Ali, Antonio Vincente, Harvey Tuch, Jianfei Hu, Oliver Liu, Piotr Sikora, Yan Avlasov and Yangmin Zhu at Google, Tony Allen and Matt Klein at Lyft, Cynthia Coan at Tetrate to fix and testing this releases.
Thanks,
Lizan Zhou (Tetrate) (on behalf of Envoy security team and maintainers), release coordinator for 1.13.1 and 1.12.3.
Reply all
Reply to author
Forward
0 new messages