Security release of Envoy v1.15.0, v1.14.4, v1.13.4, and v1.12.6 are now available
30 views
Skip to first unread message
Greg Greenway
Jul 8, 2020, 11:47:31 AM7/8/20
to envoy-secur...@googlegroups.com, envoy-ma...@googlegroups.com
Hello Envoy Community,
The Envoy security team would like to announce the availability of v1.15.0, v1.14.4, v1.13.4, and v1.12.6.
This release addresses a defect in how Envoy validates TLS certificates. A CVE number has been requested but not yet issued. This issue has a CVSS score of 6.6 (Medium) (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C).
Impact
When validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com.
This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections.
This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com.
Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later.
Fix
This issue has been fixed in Envoy versions 1.15.0, 1.14.4, 1.13.4, 1.12.6.
The Envoy security team would like to announce the availability of v1.15.0, v1.14.4, v1.13.4, and v1.12.6.
This release addresses a defect in how Envoy validates TLS certificates. A CVE number has been requested but not yet issued. This issue has a CVSS score of 6.6 (Medium) (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C).
Impact
When validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com.
This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections.
This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com.
Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later.
Fix
This issue has been fixed in Envoy versions 1.15.0, 1.14.4, 1.13.4, 1.12.6.
The commit fixing it is 7a1f2bca8c6eed217f1e914695ea29985b3f860f, which is included in 1.15.0. The issue was disclosed publicly immediately before the 1.15.0 release, which is why a security fix is included with a regularly scheduled release.
Greg Greenway
Jul 8, 2020, 4:15:24 PM7/8/20
to 'Greg Greenway' via envoy-security-announce, envoy...@googlegroups.com, envoy-ma...@googlegroups.com
This issue has been assigned CVE-2020-15104
Reply all
Reply to author
Forward
0 new messages